Although the COVID-19 crisis is still unfolding, valuable lessons about organisational resilience are already being learnt.
Nobody could have anticipated the speed and extent of the pandemic’s impact on communities and economies, but the organisations that have proven most resilient are those who were prepared for a wide range of circumstances, rather than those who focused their contingency planning on specific risks.
And this would certainly apply to organisations with a Digital Resilience strategy in place. “If you manage your Digital Resilience planning well, then you will have a roadmap for handling almost any crisis situation”, says Alzbeta Helienek, Principal Consultant, Ricardo Rail.
“It doesn’t matter what the event trigger is, a fully-worked out Digital Resilience strategy will answer the opening questions of any response plan, such as which assets are most important to you? How will you communicate with customers and staff? How will you facilitate quick decision making?”
Why Digital Resilience goes beyond cyber security
With technology embedded across almost every aspect of critical infrastructure, true digital resilience is not just about protecting IT systems with specific counter-measures.
It is also about managing interfaces between information networks and physical assets. It means identifying vulnerabilities in supply chains and safeguarding interactions between your staff and external environments.
“The same logic applies to the rail sector,” says Alzbeta. “Modern fleets are wirelessly connected via on-board communication gateways. Network traffic is managed by centralised command and control technologies. Almost every device is connected in some way to a network”.
Which explains the importance to the industry of legislation such as the EU’s Directive on the Security of Network and Information Systems (NIS-D).
Although the Directive is mandatory for rail operations, the approaches to business continuity and contingency planning that it advocates serve as a benchmark for the entire sector and its supply chain to aspire to.
Focused squarely on preparing for a ‘loss of service’, the Directive sets out four clear objectives:
- Managing security risk
- Defending against cyber attack
- Detecting cyber security events
- Minimising the impact of cyber incidents.
To meet the Directive's requirements organisations are required to evaluate and document disaster recovery capabilities and business continuity strategies.
Management teams, for example, must pinpoint the most critical activities for maintaining service delivery, detail how redundant systems and backup working space will be provided, and demonstrate clearly defined lines of communication and decision making.
When responding to COVID-19, organisations who have gone through the Digital Resilience process could make decisions at speed, apply disaster recovery scenarios and remain operational.
“The Directive requires organisations to prioritise their key assets - their most vulnerable and most critical,” explains Alzbeta. “They are expected to ask the 'What Happens' question and then test their planned response”.
“When responding to the COVID-19 outbreak, the organisations who have gone through the Digital Resilience process could make decisions at speed, apply disaster recovery scenarios and remain operational”.
“When incidents are managed with such competence and sure-footedness, it gives all stakeholders confidence in the organisation and its leadership. It provides assurance that future incidents will be handled with similar clarity and purpose".
To read about our recent Digital Resilience work on Bombardier's Aventra platform click here
Or learn more about our Digital Resilience service.