Modern cyber security bears great resemblance to the Titanic disaster, says Stena CISO

The security head likens the maritime disaster to cyber security blunders and gives his thoughts on how to move forward

Magnus Carling

Magnus Carling, CISO of worldwide conglomerate Stena AB, likened modern cyber security practices to the oversights which led to the Titanic disaster in 1912.

Speaking at Cloudsec 2019, Carling told attendees "the iceberg was innocent. It wasn't the iceberg that made Titanic sink", before drawing some obvious comparisons between the famous sinking and modern cyber attacks.

Advertisement - Article continues below

Carling said the Titanic's captain ignored warnings from other ships about the oncoming iceberg, just like how system administrators sometimes either ignore or misread warning signs that a business may be under attack.

In addition, the captain demonstrated unsafe practices by travelling at around 22 knots - much higher than what was considered to be safe. This can be considered equal to ignoring other security best practices such as securing endpoints or not managing patches adequately.

The crew tasked with keeping the smooth running of the ship was also not given any sort of disaster training, said Carling which akin to not having a disaster recovery strategy in place if a business comes under a cyber attack.

The last similarity was that before leaving for her maiden voyage, the Titanic was equipped with too few lifeboats and the crew knew this and departed anyway. In doing so, the crew "silenced the security voice", Carling said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"I can bet my dog that someone somewhere told someone in charge [that] it's not a good idea to run in that high speed, it's not a good idea to not have lifeboats and not train the crew how to use the lifeboats - and I think we're seeing this today, in many cases," he added.

Carling said cyber security practitioners need to ask themselves whether their security voice is strong enough but to permanently avoid this possibility, we must embrace regulations.

"But there's one thing that can help us which is a good thing and that's regulations because a lot of people think that regulations are like this heavy weighted blanket [and that] it's a lot of work being compliant. But they do help you because they give you arguments that you should improve your cyber security stature."

One such regulation that Carling heralded was the network and information systems (NIS) directive adopted by EU member states in 2016 - it was the first EU-wide cyber security regulation. Carling said the NIS directive is the cyber security equivalent of the safety of life at sea (SOLAS) convention adopted in the maritime industry.

Advertisement - Article continues below

The NIS directive aimed to unify the standards of cyber security within the EU to help protect member states from being attacked through vulnerabilities in other nations. It was implemented in UK domestic law at the same time as GDPR.

But regulations alone won't keep out the numerous intruders trying to steal data from businesses, a well-trained team running a tight security operations centre (SOC) that can react quickly and effectively to cyber threats is the best defence against attackers.

That's why at Stena AB, the company runs red team versus blue team exercises roughly three times every year so its cyber security practitioners are ready to respond to the latest threats that could strike their business.

A red team drill is like a cyber attack training day, security practitioners assemble and are divided into two teams: red team attacks and blue defends. The red team will try to simulate a cyber attack by attempting to breach Stena's systems and the blue team will try and stop it from happening. It's a common industry exercise that keeps security teams sharp.

Advertisement - Article continues below

When IT Pro asked for details of anything that came up in recent exercises, Carling told us that asset management was something that Stena and all other companies in the world will face issues with.

"[The red team] will find devices that are not supposed to be there and utilise them, they will breach them and get in. If you have a good red team, you can't stop them, they will get in one way or another," said Carling. "The only difference is how long it takes for them to get in. The improvement that we want to see is whether the blue team is getting better at detecting them." 

In addition to regular exercise, Stena also has a global SOC which gives their security experts a holistic, business-wide view of their facilities' security.

"No captain would ever navigate without radar," he said, so there's no reason why security professionals should operate without an extensive view of oncoming threats.

Advertisement - Article continues below

"If you don't know what's in your network, you don't have security - you need to know exactly what's out there," said Carling.

The latest technique used by the company is deploying cyber security ambassadors where individuals from different Stena facilities who have shown an interest in cyber security can congregate and receive extensive training and then head back to their base and spread that knowledge to their team.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/hardware/components/356405/is-it-time-to-put-intel-outside
components

Is it time to put Intel Outside?

10 Jul 2020