IASME welcomes Maritime Cyber Baseline trainer, William Wright to the team!
Maritime Cyber Baseline is a cyber security certification scheme for vessels of all classifications. The important cyber security controls outlined in the scheme help vessels take significant steps towards compliance with the cyber requirements set by the IMO, Port Authorities, and Classification Authorities.
How did you first hear about IASME?
When I first started my business, I was looking for ways to stand out. At the time, we were trusted partners with the Scottish Business Resilience Centre (SBRC), and I came across Cyber Essentials for the first time. I’d never heard of it before, so I decided to look into it. When I opened the Cyber Essentials Certification Body map on IASME’s website, I noticed there wasn’t a single Certification Body in the northern half of Scotland. That gave me what I thought was a genius idea—if we became the only pin in the north of Scotland, people would see us on the map and think, “what’s that way up there?” They’d click on us and say, “Oh wow, look at these people!”
So, we went through the accreditation process and became a Certification Body. Sure enough, we still manage to surprise people with what we do compared to where we are!
We started with Cyber Essentials and Cyber Essentials Plus, but we had to get certified ourselves first. I became an Assessor, and for the first six months, it was one of our main income streams. It was a great way to get started and was an insightful glimpse into our own cyber security posture as we went through the certification.
Tell us about your new role as a trainer for the Maritime Cyber Baseline (MCB) scheme.
As the trainer for the MCB scheme, my role is to help people understand how to apply the methodology behind the framework. The trainees already have the skills—they’re experts in their field. My job is to show them how to transfer those skills into the MCB methodology, so they can help their clients achieve accreditation, or move closer towards it.
I’ll also be working with the Certification Manager, Craig Wooldridge, to develop the scheme further and raise awareness.
The Maritime Cyber Baseline scheme is still in its early stages, but it’s growing very quickly. All the vessels I certified last year have renewed their accreditation, and I’m getting more and more direct enquiries. The great thing about MCB is that it’s both repeatable and measurable, which makes it really useful across the maritime industry. The industry isn’t short of regulation and certifications, but when it comes to cyber security, there hasn’t been anything like this before. I think MCB could become the benchmark—like ISO 27001, but for boats.
Tell us about your background. How did you get into this field?
I’ve always been curious about how things work. As a kid, I’d break my toys into pieces and try to put them back together again, and that curiosity eventually turned into an interest in computers. When I was about 14, I starting working at a local computer shop, repairing computers and removing viruses. It was my first exposure to cyber security, even though it wasn’t really an industry as we know it now.
After college, I joined the “BT Desktop Refresh,” where I was installing new computers in schools and from there, my career really started to take shape. My first MSP job was with a small Dundee company of about 15 staff. Unlike in larger IT roles where you’re stuck in one lane, I had to handle the entire tech stack. I’d get sent out to fix things I’d never even heard of before, often in remote areas with no mobile signal. It was a trial-by-fire experience, but I learned so much.
I joined BAE Systems and worked on the UK’s aircraft carrier program, doing system integration, security, and infrastructure work. That role also gave me my first real exposure to penetration testing and high-security environments. After a few years, I moved to QinetiQ where I worked on systems for the UK’s nuclear submarine deterrent. I was based in the Highlands of Scotland, which was incredibly remote, but the isolation gave me a lot of free time to study and develop my skills. I earned certifications like OSCP and Crest CRT, and I started learning from QinetiQ’s internal pen testing team, which was one of the few in-house teams around at the time.
Eventually, I landed my first full-time lead penetration tester role with Unipart Group. They started as a car parts company but have since grown into a massive organisation, with interests in railways, automotive manufacturing, and more. That role allowed me to focus entirely on penetration testing and security consulting, which was a big step forward in my career. I also had a short stint with NATO in Belgium which was another opportunity to work in a high-security environment and further refine my skills.
By this point, my career had started to focus heavily on the maritime sector and eventually, I decided to take the leap and start my own company, Closed Door Security. One of the more unique niches I found myself in was working with superyachts. It’s a fascinating area because these vessels are essentially floating luxury hotels with incredibly complex systems, and they need to be secure, given the status of some of the owners and individuals aboard
What is your current area of focus in your work?
I used to specialise in penetration testing and red teaming, but these days I’m more focused on translating what the technical team does into something useful for the client. I spend a lot of my time writing reports, and making sure the clients understand any findings and get the most value out of what we’re doing.
What recent developments are shaping maritime cyber security?
The biggest shift recently is connectivity. Starlink is the obvious one. Satellite Internet Service is a satellite internet constellation developed and operated by SpaceX, which aims to provide high-speed, low-latency internet access to underserved and remote areas around the world including ships at sea. Even VESA, (best known for its standards that ensure compatibility between different devices, such as monitors, TVs, graphics cards, and mounting systems) which used to be massively expensive, is becoming a lot cheaper now. So, you’re getting these high-bandwidth, low-latency links to vessels that historically were never secured because they were considered safe due to their isolation. But now, all of a sudden, they’re in the middle of the sea with internet connectivity, and a lot of them still lack basic segmentation, monitoring, and access control. You’ll often find operational technology (OT) and information technology (IT) systems mixed together.
There was a recent case involving two Iranian oil shipping companies. Apparently, 116 of their oil tankers were disabled. There’s not much information released, but the group that claimed responsibility said they managed to disable the communications. These ships relied on their communications networks to get their geolocations, so they stopped moving because they didn’t know where they were. If that’s true, it’s huge. You’ve just shut down an entire country’s shipping capacity in seconds. Unfortunately, I think we’re going to see a lot more of that in the near future.
What’s unique about training maritime cyber security Assessors?
If you look at training assessors for Cyber Essentials or Cyber Essentials Plus, there’s some technical skills training involved, but it’s mainly focused on understanding the standard. With the Maritime Cyber Baseline, there’s almost no technical skills training because, to even get to the stage where you’re training to become an Assessor, you need a verified background and expertise in what you’re doing.
We’re not teaching them how to do these things; we’re teaching them how to apply their skills to the standard. It’s about guiding them to interpret the risks on each vessel and fit that into the standard, along with any regulatory frameworks. It’s all about practical application—how to assess engine management networks, satellite links, segregated IT and OT systems, and how to deliver the assessment in a way that aligns with the Maritime Cyber Baseline.
Tell us something that most people don’t know about you.
The first one is that I’ve robbed four banks in my career—with their permission, of course!
The second one is that I have a rally license. I used to build and race rally cars, and I still do sometimes, it’s usually on a track rather than in the mountains or on the moors. I absolutely love it—it’s such a thrill.
What changes are on the horizon for maritime cyber security?
Every time I speak to a vessel owner, the conversation is evolving. Three or four years ago, they’d ask, “Why do I need cyber security?” Now, the conversation is, “How can I take care of my cyber security?” It’s a complete one-eighty from the owners, electro-technical officers (ETOs), and captains.
What will be the big drivers towards certification?
I think there’ll be a big attack somewhere—I don’t know where or when—but that’s going to wake up all the owners and operators who aren’t paying attention. The ones who are paying attention are already doing something about it, but there’s still a significant portion that aren’t. Either that, or the IMO will enforce stricter rules for vessels. One of those two things will be a huge driver. I don’t think we’re far away from either of those.
What are some common misconceptions about maritime cyber security?
The easiest one is that vessels are isolated when they’re out at sea and therefore safe. In reality, because they’ve got Starlink or VESA on board, they’re essentially traditional enterprise networks with almost no security in place. It’s like exposing a bank to the internet with no security.
Are there cyber attackers specialising in maritime vessels?
Absolutely. There are ransomware groups and criminal gangs that specifically target the maritime sector. They go after vessels and their owners, essentially acting like modern-day pirates.
How do you see certifications like the MCB shaping regulation?
I think we’ll start to see it integrated into the shipbuilding process. Right now, there are lots of certifications for other aspects of shipbuilding, but there’s not one for cyber security. I think this will start in the luxury yacht space because the people who own those vessels often come from business backgrounds where cyber security regulations already apply. They’ll start asking, “What about the vessel? What certification is there for that?”
From there, I think builders and refurbishing companies will start looking for certifications to fill that gap. The Maritime Cyber Baseline, with its basic framework, will play a big role in that, especially in the UK, but also throughout Europe and the rest of the world.
Any surprising discoveries from maritime assessments?
One of the most interesting ones was on a superyacht. I was reviewing a Kerio firewall, which is commonly used on superyachts, and I discovered that one of the crew members was mining cryptocurrency on board. They were using the owner’s internet at an insane rate—something like 12 gigabytes per hour.
The air conditioning, electricity, and bandwidth usage would spike every time they were on the yacht, and then it would drop when they left. It turned out they were bringing the mining equipment on and off the yacht with them. Neither the owner, the captain, nor the other crew members had any idea.
After I’d figured it out, the crew member was escorted off the ship very quickly. That’s probably the coolest discovery I’ve made. Most of the other ones are either boring or things I’m not allowed to share!
To find out more about IASME Maritime Cyber Baseline, email the scheme Certification Manager, [email protected]