Modern cyber security bears great resemblance to the Titanic disaster, says Stena CISO

The security head likens the maritime disaster to cyber security blunders and gives his thoughts on how to move forward

Magnus Carling

Magnus Carling, CISO of worldwide conglomerate Stena AB, likened modern cyber security practices to the oversights which led to the Titanic disaster in 1912.

Speaking at Cloudsec 2019, Carling told attendees "the iceberg was innocent. It wasn't the iceberg that made Titanic sink", before drawing some obvious comparisons between the famous sinking and modern cyber attacks.

Carling said the Titanic's captain ignored warnings from other ships about the oncoming iceberg, just like how system administrators sometimes either ignore or misread warning signs that a business may be under attack.

In addition, the captain demonstrated unsafe practices by travelling at around 22 knots - much higher than what was considered to be safe. This can be considered equal to ignoring other security best practices such as securing endpoints or not managing patches adequately.

The crew tasked with keeping the smooth running of the ship was also not given any sort of disaster training, said Carling which akin to not having a disaster recovery strategy in place if a business comes under a cyber attack.

The last similarity was that before leaving for her maiden voyage, the Titanic was equipped with too few lifeboats and the crew knew this and departed anyway. In doing so, the crew "silenced the security voice", Carling said.

"I can bet my dog that someone somewhere told someone in charge [that] it's not a good idea to run in that high speed, it's not a good idea to not have lifeboats and not train the crew how to use the lifeboats - and I think we're seeing this today, in many cases," he added.

Carling said cyber security practitioners need to ask themselves whether their security voice is strong enough but to permanently avoid this possibility, we must embrace regulations.

"But there's one thing that can help us which is a good thing and that's regulations because a lot of people think that regulations are like this heavy weighted blanket [and that] it's a lot of work being compliant. But they do help you because they give you arguments that you should improve your cyber security stature."

One such regulation that Carling heralded was the network and information systems (NIS) directive adopted by EU member states in 2016 - it was the first EU-wide cyber security regulation. Carling said the NIS directive is the cyber security equivalent of the safety of life at sea (SOLAS) convention adopted in the maritime industry.

The NIS directive aimed to unify the standards of cyber security within the EU to help protect member states from being attacked through vulnerabilities in other nations. It was implemented in UK domestic law at the same time as GDPR.

But regulations alone won't keep out the numerous intruders trying to steal data from businesses, a well-trained team running a tight security operations centre (SOC) that can react quickly and effectively to cyber threats is the best defence against attackers.

That's why at Stena AB, the company runs red team versus blue team exercises roughly three times every year so its cyber security practitioners are ready to respond to the latest threats that could strike their business.

A red team drill is like a cyber attack training day, security practitioners assemble and are divided into two teams: red team attacks and blue defends. The red team will try to simulate a cyber attack by attempting to breach Stena's systems and the blue team will try and stop it from happening. It's a common industry exercise that keeps security teams sharp.

When IT Pro asked for details of anything that came up in recent exercises, Carling told us that asset management was something that Stena and all other companies in the world will face issues with.

"[The red team] will find devices that are not supposed to be there and utilise them, they will breach them and get in. If you have a good red team, you can't stop them, they will get in one way or another," said Carling. "The only difference is how long it takes for them to get in. The improvement that we want to see is whether the blue team is getting better at detecting them." 

In addition to regular exercise, Stena also has a global SOC which gives their security experts a holistic, business-wide view of their facilities' security.

"No captain would ever navigate without radar," he said, so there's no reason why security professionals should operate without an extensive view of oncoming threats.

"If you don't know what's in your network, you don't have security - you need to know exactly what's out there," said Carling.

The latest technique used by the company is deploying cyber security ambassadors where individuals from different Stena facilities who have shown an interest in cyber security can congregate and receive extensive training and then head back to their base and spread that knowledge to their team.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020