Modern cyber security bears great resemblance to the Titanic disaster, says Stena CISO

The security head likens the maritime disaster to cyber security blunders and gives his thoughts on how to move forward

Magnus Carling

Magnus Carling, CISO of worldwide conglomerate Stena AB, likened modern cyber security practices to the oversights which led to the Titanic disaster in 1912.

Speaking at Cloudsec 2019, Carling told attendees "the iceberg was innocent. It wasn't the iceberg that made Titanic sink", before drawing some obvious comparisons between the famous sinking and modern cyber attacks.

Carling said the Titanic's captain ignored warnings from other ships about the oncoming iceberg, just like how system administrators sometimes either ignore or misread warning signs that a business may be under attack.

In addition, the captain demonstrated unsafe practices by travelling at around 22 knots - much higher than what was considered to be safe. This can be considered equal to ignoring other security best practices such as securing endpoints or not managing patches adequately.

Advertisement - Article continues below
Advertisement - Article continues below

The crew tasked with keeping the smooth running of the ship was also not given any sort of disaster training, said Carling which akin to not having a disaster recovery strategy in place if a business comes under a cyber attack.

The last similarity was that before leaving for her maiden voyage, the Titanic was equipped with too few lifeboats and the crew knew this and departed anyway. In doing so, the crew "silenced the security voice", Carling said.

"I can bet my dog that someone somewhere told someone in charge [that] it's not a good idea to run in that high speed, it's not a good idea to not have lifeboats and not train the crew how to use the lifeboats - and I think we're seeing this today, in many cases," he added.

Carling said cyber security practitioners need to ask themselves whether their security voice is strong enough but to permanently avoid this possibility, we must embrace regulations.

"But there's one thing that can help us which is a good thing and that's regulations because a lot of people think that regulations are like this heavy weighted blanket [and that] it's a lot of work being compliant. But they do help you because they give you arguments that you should improve your cyber security stature."

One such regulation that Carling heralded was the network and information systems (NIS) directive adopted by EU member states in 2016 - it was the first EU-wide cyber security regulation. Carling said the NIS directive is the cyber security equivalent of the safety of life at sea (SOLAS) convention adopted in the maritime industry.

Advertisement - Article continues below

The NIS directive aimed to unify the standards of cyber security within the EU to help protect member states from being attacked through vulnerabilities in other nations. It was implemented in UK domestic law at the same time as GDPR.

But regulations alone won't keep out the numerous intruders trying to steal data from businesses, a well-trained team running a tight security operations centre (SOC) that can react quickly and effectively to cyber threats is the best defence against attackers.

That's why at Stena AB, the company runs red team versus blue team exercises roughly three times every year so its cyber security practitioners are ready to respond to the latest threats that could strike their business.

A red team drill is like a cyber attack training day, security practitioners assemble and are divided into two teams: red team attacks and blue defends. The red team will try to simulate a cyber attack by attempting to breach Stena's systems and the blue team will try and stop it from happening. It's a common industry exercise that keeps security teams sharp.

Advertisement - Article continues below

When IT Pro asked for details of anything that came up in recent exercises, Carling told us that asset management was something that Stena and all other companies in the world will face issues with.

"[The red team] will find devices that are not supposed to be there and utilise them, they will breach them and get in. If you have a good red team, you can't stop them, they will get in one way or another," said Carling. "The only difference is how long it takes for them to get in. The improvement that we want to see is whether the blue team is getting better at detecting them." 

Advertisement - Article continues below

In addition to regular exercise, Stena also has a global SOC which gives their security experts a holistic, business-wide view of their facilities' security.

"No captain would ever navigate without radar," he said, so there's no reason why security professionals should operate without an extensive view of oncoming threats.

"If you don't know what's in your network, you don't have security - you need to know exactly what's out there," said Carling.

The latest technique used by the company is deploying cyber security ambassadors where individuals from different Stena facilities who have shown an interest in cyber security can congregate and receive extensive training and then head back to their base and spread that knowledge to their team.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020