Interview with Maritime consultant Malcolm Warr OBE

IASME make waves with the Maritime Cyber Baseline scheme, a certification for maritime vessels. Maritime consultant, Malcolm Warr OBE shows us the ropes.

Developed with maritime experts, Infosec Partners and supported by The Royal Institution of Naval Architects the Maritime Cyber Baseline scheme was launched by IASME in 2021.

The scheme is an affordable and practical way for shipping operators and vessel owners to improve their cyber security to reduce the likelihood of a cyber-attack disrupting their day-to-day operations. Maritime Cyber Baseline certification enables a path to compliance with the IMO Maritime Cyber Risk Management guidelines and is open to vessels of all sizes and classifications, including yachts, commercial, passenger ships and merchant vessels.

As IASME ventures into the previously unchartered waters of maritime cyber, we are fortunate to count experienced maritime consultant, Malcolm Warr OBE as one of our senior advisors. Speaking with Malcolm is utterly fascinating as he has anecdotes and adventures that tempt one down numerous tangents, he speaks Russian and Arabic, travels extensively and is a believer in learning about people from face to face contact and listening.

Malcolm was initially inspired by a series of talks at school about the future being digital which he wisely took note of. He went on to study Electrical Engineering followed by naval and civilian logistics at University. An eclectic career ensued that included 25 years in the Royal Navy, experience in corporate management, and senior advisor positions to global businesses and Government about security issues. Malcolm modestly suggests that his varied career has made him an expert in nothing but has given him quite a good awareness of the total picture and some of the pitfalls.

Welcome aboard Malcolm, tell us more about your experience in maritime cyber security.

I first got interested in the challenges of cyber security when reading the papers of Vice Admiral John Godfrey- Director of Naval Intelligence from 1939 to 1942- accredited by Ian Fleming as his model for “M”. Godfrey saw the threats going forward from increasing use of data and recognised the need for training to counter the threat to start from a common baseline.

During the cold war, I used to be given access to high level intelligence briefings and it became apparent cyber warfare would become important. I saw the importance of Godfrey’s prescience. Subsequently in industry, I mentored teams in the old Defence Research Agency ( now known as QinetiQ) – all of which had a strong digital thread. I was also Head of Military networks for Selex now incorporated into Leonardo MW. These all had a digital implication and reinforced my emerging view that attacks on digital societies would become significant. I have had a pretty continuous career in the maritime sector which includes being part of senior management teams globally which has been useful to understand the need for structure, regular monitoring of performance and rigorous independent reviewing.

More recently, I have chaired a number of maritime security conferences, run a physical security company and been a piracy expert witness for UK Admiralty Court cases.

How did you become involved in the IASME Maritime Cyber baseline scheme?

I have known IASME for some years and I like their collective spirit and understanding that people learn from basics rather than pages and pages of instructions. I especially like the way that they accept and use the talents from our diverse communities. This is very important when trying to understand threats from foreign adversaries who may well have different cultures and think differently to us in the United Kingdom.

How is the appetite in the industry for a scheme like this?

As a member of the London maritime club, Anchorites, I regularly meet senior members of the maritime community. It is obvious that there are still large gaps in application of cyber resilience. A maritime baseline version of a basic cyber security scheme would go a long way in building necessary awareness across the whole industry and thus the right and appropriate actions in the maritime workplace.

The nature of the industry does not lend itself easily to recognising new challenges to its way of operation. Ship Masters are often too busy to digest cyber implications and technical staff are too involved in the detail of running the vessel. Complicated instructions and too much tech talk are a big turn off all round.

What kind of sea faring vessels are at risk of cyber attack?

Basically all. But tankers and large container ships are part of complex global supply chains and any attacks on them can have very disproportionate consequences on economies.

The threats are multiple but essentially split into two groups -operational technology (OT) and information technology (IT). The main difference between OT and IT devices is that OT devices control the physical world, while IT systems manage data. Examples of OT include propulsion control, steering, ballasting etc. As all forms of digital technology continue to expand, the connection between IT and OT on board vessels produces a greater overall vulnerability and therefore risk.

The most relevant is potential attacks on communications and navigation equipment; all have a human factors implication which is often forgotten.

Can you give an example of a maritime cyber attack?

Maersk is probably the second if not the biggest shipping business in the world. In 2017, someone switched on the computer in their London office and they realised that they had been hit by a cyber attack.

The outage left Maersk unable to process shipping orders until systems were restored, freezing revenue from several of the company’s shipping container lines for weeks. In total, three of the conglomerate’s nine business units experienced disruptions stemming from the attack.

Much of Maersk’s backup data had been corrupted by the NotPetya malware but they did manage to restore it by pure luck and some inventiveness. It probably cost them a minimum of $300 million but that’s the sort of fee you’re talking about for a large cyber attack.

What are some of the issues and barriers in the maritime world?

The maritime industry’s approach to many things is not particularly coordinated. Much of the cyber security advice is far too complex for seafarers to understand and act upon, and there is a lack of regular appropriate and collective, relevant training.

In simple terms, you have a shore organisation which will be affiliated with lots of other organisations, for example, an insurance company and a flag state which for a merchant vessel is the jurisdiction under whose laws the vessel is registered or licensed, and is deemed the nationality of the vessel. There is also the shipping agency and there might be a parent company.

At sea, you can have everything from a relatively small superyacht up to a cargo carrier. Today’s largest container ships measure 400 metres (1,300 ft) in length and they carry loads equal to the cargo-carrying capacity of sixteen to seventeen pre-World War II freighter ships. A container ship can hold anywhere between 10,000 TEU to 21,000 TEUs (containers) and each container might have half a million items in it. So, even if just one ship is disabled or delayed in delivery, it will cause a wide spectrum of potential supply chain vulnerabilities. There is obviously a large difference between a tanker and a container ship and a superyacht but they can all suffer from the same problem. The approach to cyber resilience is often too technical and too demanding, threats are not properly distinguished and too much or the wrong sort of information can be given to them. It is a top-down directive approach which is not matched by feedback from the front line, which means very few seafarers get to grips with what they actually need to do practically on board.

KISS (Keep it Simple Stupid) is a term that was first used in the US Navy and is thought to have been coined by Kelly Johnson, who was the lead engineer at the Lockheed Skunk Works. Never has this phrase been more appropriate than with maritime cyber security. It needs to be basic but drawn from experience and capable of being built upon into process and procedures which are more substantial. Process and procedure needs to be fed by good advice from trusted sources, good data, good threat analysis, so that you can gear the thing up rather than gear it down.

How tech savvy are the maritime community?

It is basically split into two camps. There are high tech gurus who can overstate the risks and complexities and the vast majority of seafarers who have the same level of tech savvy as the average citizen. None of this is malicious, it’s a case of the psychology of misunderstanding.

Is there a new role for an IT specialist in the crew? Or is cyber training a necessity for maritime staff?

Many vessels’ crew are very small. I don’t see a role for a specialist IT crew member in many instances. It should be a whole ship responsibility led by the Ship’s Captain/Master, however, continuous but relevant training is essential.

Looking to the future

I am keen to promote the “Work Up” approach which is used by navies to train their crews. When you join a ship, it’s often a new crew, there’s a lot of technical stuff on board and you need a process of working that up. You start by going around and doing a questionnaire which is an IASME baseline approach, you find out what people know, and they begin to understand what they don’t know. You then go through a number of exercises which are very similar to the ones that the National Cyber Security Centre have set up, an exercise in the box, for example, or a simulated exercise, which is what Plymouth University have been doing. You take a scenario and you play around with it, deliberately make it worse than it possibly is, so the crew begin to understand.

You then provide training which is tailored and relevant to that type of vessel and for which the crew take responsibility, so what you might do on a cruise ship will be a bit different to what you do on a tanker. You then follow that up by going back again and doing a further assessment to see how much they’ve learned, focusing all the time, not on what you’re telling them, but on what they’re understanding to help themselves. You end up with them hopefully training themselves, rather than you imposing something on them which they don’t fully understand.

In summary

It’s important to emphasise that the maritime industry is by its very nature global and much of cyber activity has gone on through national, or sovereign entities. This is a different issue which needs coordination on a global basis not just on a national basis.

People don’t fully understand that two vessels colliding in the straits of Hormuz because their navigation systems have been interfered with, would cause a major disruption to western economies . Even the blockage of a large container ship in the Suez canal for another reason, caused all sorts of excitement on the home front. The nature of this is slightly different from land in that the long term effects on the economies could be significant . If you analyse where both organised crime and warfare are going, it’s so much easier to carry out a cyber attack- it’s a hygienic approach to warfare if you like, but can cause a huge amount of disruption, quite disproportionate to what people think might happen.