Modern cyber security bears great resemblance to the Titanic disaster, says Stena CISO

The security head likens the maritime disaster to cyber security blunders and gives his thoughts on how to move forward

Magnus Carling

Magnus Carling, CISO of worldwide conglomerate Stena AB, likened modern cyber security practices to the oversights which led to the Titanic disaster in 1912.

Speaking at Cloudsec 2019, Carling told attendees "the iceberg was innocent. It wasn't the iceberg that made Titanic sink", before drawing some obvious comparisons between the famous sinking and modern cyber attacks.

Carling said the Titanic's captain ignored warnings from other ships about the oncoming iceberg, just like how system administrators sometimes either ignore or misread warning signs that a business may be under attack.

In addition, the captain demonstrated unsafe practices by travelling at around 22 knots - much higher than what was considered to be safe. This can be considered equal to ignoring other security best practices such as securing endpoints or not managing patches adequately.

Advertisement
Advertisement - Article continues below

The crew tasked with keeping the smooth running of the ship was also not given any sort of disaster training, said Carling which akin to not having a disaster recovery strategy in place if a business comes under a cyber attack.

The last similarity was that before leaving for her maiden voyage, the Titanic was equipped with too few lifeboats and the crew knew this and departed anyway. In doing so, the crew "silenced the security voice", Carling said.

"I can bet my dog that someone somewhere told someone in charge [that] it's not a good idea to run in that high speed, it's not a good idea to not have lifeboats and not train the crew how to use the lifeboats - and I think we're seeing this today, in many cases," he added.

Carling said cyber security practitioners need to ask themselves whether their security voice is strong enough but to permanently avoid this possibility, we must embrace regulations.

"But there's one thing that can help us which is a good thing and that's regulations because a lot of people think that regulations are like this heavy weighted blanket [and that] it's a lot of work being compliant. But they do help you because they give you arguments that you should improve your cyber security stature."

One such regulation that Carling heralded was the network and information systems (NIS) directive adopted by EU member states in 2016 - it was the first EU-wide cyber security regulation. Carling said the NIS directive is the cyber security equivalent of the safety of life at sea (SOLAS) convention adopted in the maritime industry.

The NIS directive aimed to unify the standards of cyber security within the EU to help protect member states from being attacked through vulnerabilities in other nations. It was implemented in UK domestic law at the same time as GDPR.

But regulations alone won't keep out the numerous intruders trying to steal data from businesses, a well-trained team running a tight security operations centre (SOC) that can react quickly and effectively to cyber threats is the best defence against attackers.

That's why at Stena AB, the company runs red team versus blue team exercises roughly three times every year so its cyber security practitioners are ready to respond to the latest threats that could strike their business.

A red team drill is like a cyber attack training day, security practitioners assemble and are divided into two teams: red team attacks and blue defends. The red team will try to simulate a cyber attack by attempting to breach Stena's systems and the blue team will try and stop it from happening. It's a common industry exercise that keeps security teams sharp.

Advertisement
Advertisement - Article continues below

When IT Pro asked for details of anything that came up in recent exercises, Carling told us that asset management was something that Stena and all other companies in the world will face issues with.

"[The red team] will find devices that are not supposed to be there and utilise them, they will breach them and get in. If you have a good red team, you can't stop them, they will get in one way or another," said Carling. "The only difference is how long it takes for them to get in. The improvement that we want to see is whether the blue team is getting better at detecting them." 

In addition to regular exercise, Stena also has a global SOC which gives their security experts a holistic, business-wide view of their facilities' security.

"No captain would ever navigate without radar," he said, so there's no reason why security professionals should operate without an extensive view of oncoming threats.

"If you don't know what's in your network, you don't have security - you need to know exactly what's out there," said Carling.

The latest technique used by the company is deploying cyber security ambassadors where individuals from different Stena facilities who have shown an interest in cyber security can congregate and receive extensive training and then head back to their base and spread that knowledge to their team.

Advertisement
Related Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Visit/domain-name-system-dns/34842/microsoft-embraces-dns-over-https-to-secure-the-web
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Visit/strategy/28115/the-pros-and-cons-of-net-neutrality
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Visit/social-media/34844/can-wikipedia-founders-social-network-really-challenge-facebook
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019