Modern cyber security bears great resemblance to the Titanic disaster, says Stena CISO

Magnus Carling

Magnus Carling, CISO of worldwide conglomerate Stena AB, likened modern cyber security practices to the oversights which led to the Titanic disaster in 1912.

Speaking at Cloudsec 2019, Carling told attendees "the iceberg was innocent. It wasn't the iceberg that made Titanic sink", before drawing some obvious comparisons between the famous sinking and modern cyber attacks.

Carling said the Titanic's captain ignored warnings from other ships about the oncoming iceberg, just like how system administrators sometimes either ignore or misread warning signs that a business may be under attack.

In addition, the captain demonstrated unsafe practices by travelling at around 22 knots - much higher than what was considered to be safe. This can be considered equal to ignoring other security best practices such as securing endpoints or not managing patches adequately.

The crew tasked with keeping the smooth running of the ship was also not given any sort of disaster training, said Carling which akin to not having a disaster recovery strategy in place if a business comes under a cyber attack.

The last similarity was that before leaving for her maiden voyage, the Titanic was equipped with too few lifeboats and the crew knew this and departed anyway. In doing so, the crew "silenced the security voice", Carling said.

"I can bet my dog that someone somewhere told someone in charge [that] it's not a good idea to run in that high speed, it's not a good idea to not have lifeboats and not train the crew how to use the lifeboats - and I think we're seeing this today, in many cases," he added.

Carling said cyber security practitioners need to ask themselves whether their security voice is strong enough but to permanently avoid this possibility, we must embrace regulations.

"But there's one thing that can help us which is a good thing and that's regulations because a lot of people think that regulations are like this heavy weighted blanket [and that] it's a lot of work being compliant. But they do help you because they give you arguments that you should improve your cyber security stature."

One such regulation that Carling heralded was the network and information systems (NIS) directive adopted by EU member states in 2016 - it was the first EU-wide cyber security regulation. Carling said the NIS directive is the cyber security equivalent of the safety of life at sea (SOLAS) convention adopted in the maritime industry.

The NIS directive aimed to unify the standards of cyber security within the EU to help protect member states from being attacked through vulnerabilities in other nations. It was implemented in UK domestic law at the same time as GDPR.

But regulations alone won't keep out the numerous intruders trying to steal data from businesses, a well-trained team running a tight security operations centre (SOC) that can react quickly and effectively to cyber threats is the best defence against attackers.

That's why at Stena AB, the company runs red team versus blue team exercises roughly three times every year so its cyber security practitioners are ready to respond to the latest threats that could strike their business.

A red team drill is like a cyber attack training day, security practitioners assemble and are divided into two teams: red team attacks and blue defends. The red team will try to simulate a cyber attack by attempting to breach Stena's systems and the blue team will try and stop it from happening. It's a common industry exercise that keeps security teams sharp.

When IT Pro asked for details of anything that came up in recent exercises, Carling told us that asset management was something that Stena and all other companies in the world will face issues with.

"[The red team] will find devices that are not supposed to be there and utilise them, they will breach them and get in. If you have a good red team, you can't stop them, they will get in one way or another," said Carling. "The only difference is how long it takes for them to get in. The improvement that we want to see is whether the blue team is getting better at detecting them."

In addition to regular exercise, Stena also has a global SOC which gives their security experts a holistic, business-wide view of their facilities' security.

"No captain would ever navigate without radar," he said, so there's no reason why security professionals should operate without an extensive view of oncoming threats.

"If you don't know what's in your network, you don't have security - you need to know exactly what's out there," said Carling.

The latest technique used by the company is deploying cyber security ambassadors where individuals from different Stena facilities who have shown an interest in cyber security can congregate and receive extensive training and then head back to their base and spread that knowledge to their team.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.