Anglo American cyber lead calls for continuity strategies in industrial control space

Establishing a business continuity strategy in the face of a cyber incident is critical, according to mining giant's CISO

Add bookmark
Beth Maundrill
Beth Maundrill
06/23/2022

Anglo American cyber lead calls for continuity strategies in industrial control space

Organizations often do not have mature business continuity strategies in the cyber space compared with other areas like natural disasters for example, highlighted Craig McEwen, CISO at Anglo American, speaking at InfoSecurity Europe 2022.

Representing the global mining giant at the exhibition, McEwen said that identifying what the minimum is needed to do what the business is set to do ultimately helps risk programs become more focused as apposed to assessing blanket assets and systems.

While some organizations may believe that there are over a dozen value chain points that make up this minimum, ultimately it should be whittled down to around five that are business critical, he noted.

ICS space

With streamlined and structured value chain points within industrial control systems (ICS) it also enables organizations to carry out backup testing more effectively.

McEwan noted that while CISOs may be under pressure to quickly develop business continuity plans (BCPs), “managing expectations of the business” was essential and that creating a viable BCP was “time well spent”.

When speaking to the board about business and continuity in cyber, McEwan advised talking about risk in relation to recovery was a topic boards were typically keen to hear.

Looking at ICS that are critical to industrial processes, organizations need to be able to define the roots that these systems take.

“You will have communications paths going everywhere,” McEwan said. When building the BCP it is important to understand if such communication paths are legitimate.

Once these systems have been identified, defined and mapped, the resilience program should be built around those devices.

Critical infrastructure at risk

Speaking about Critical National Infrastructure’s (CNI) cyber vulnerabilities during InfoSecurity Europe 2022, Alex Harris, head of NHS and social care cyber risk at NHSCX, said that the safety critical parts of CNI are certainly behind when it comes to cyber security.

Harris added that the profit cyber criminals can make when targeting CNI is certainly attractive because, typically, CNI has a lower tolerance for downtime.

CNI has continued to experience attacks not too dissimilar to incidents that have involved organizations in other sectors, however, McEwan suggested that it may mean the worse has yet to come. As McEwan told delegates at InfoSecurity Europe 2022, having a cyber security based BCP is critical for CNI today.

Looking ahead, Harris highlighted that getting the cyber security basics right was a must for organizations today but it should be recognized that achieving those basics is a lot more complicated today.

Register now for updates from the Cyber Security Digital Summit: Gov & Critical Infrastructure APAC 2022


RECOMMENDED