Anglo American cyber lead calls for continuity strategies in industrial control space
Establishing a business continuity strategy in the face of a cyber incident is critical, according to mining giant's CISO
Add bookmarkOrganizations often do not have mature business continuity strategies in the cyber space compared with other areas like natural disasters for example, highlighted Craig McEwen, CISO at Anglo American, speaking at InfoSecurity Europe 2022.
Representing the global mining giant at the exhibition, McEwen said that identifying what the minimum is needed to do what the business is set to do ultimately helps risk programs become more focused as apposed to assessing blanket assets and systems.
While some organizations may believe that there are over a dozen value chain points that make up this minimum, ultimately it should be whittled down to around five that are business critical, he noted.
ICS space
With streamlined and structured value chain points within industrial control systems (ICS) it also enables organizations to carry out backup testing more effectively.
McEwan noted that while CISOs may be under pressure to quickly develop business continuity plans (BCPs), “managing expectations of the business” was essential and that creating a viable BCP was “time well spent”.
When speaking to the board about business and continuity in cyber, McEwan advised talking about risk in relation to recovery was a topic boards were typically keen to hear.
Looking at ICS that are critical to industrial processes, organizations need to be able to define the roots that these systems take.
“You will have communications paths going everywhere,” McEwan said. When building the BCP it is important to understand if such communication paths are legitimate.
Once these systems have been identified, defined and mapped, the resilience program should be built around those devices.
Critical infrastructure at risk
Speaking about Critical National Infrastructure’s (CNI) cyber vulnerabilities during InfoSecurity Europe 2022, Alex Harris, head of NHS and social care cyber risk at NHSCX, said that the safety critical parts of CNI are certainly behind when it comes to cyber security.
Harris added that the profit cyber criminals can make when targeting CNI is certainly attractive because, typically, CNI has a lower tolerance for downtime.
CNI has continued to experience attacks not too dissimilar to incidents that have involved organizations in other sectors, however, McEwan suggested that it may mean the worse has yet to come. As McEwan told delegates at InfoSecurity Europe 2022, having a cyber security based BCP is critical for CNI today.
Looking ahead, Harris highlighted that getting the cyber security basics right was a must for organizations today but it should be recognized that achieving those basics is a lot more complicated today.