IT Infrastructure Resilience

As I’ve been digging into the #CybersecurityFramework 2.0, and helping clients navigate the changes, I’ve found several areas where the new additions feel pretty significant. If you’re already using the #CSF and trying to figure out where to focus first, take note of these new Categories: ◾ The POLICY (GV.PO) Category was created to encompass ALL cybersecurity policies and guidance. Now, on one hand it might seem like a "well, of course" moment to consolidate all cybersecurity policies into one place - on the other hand, policies were previously sprinkled throughout the CSF, and were tied to specific actions like Asset Management or Incident Response. Now, it's all in one area, which makes a ton of sense and simplifies things, but also means we've got to remember that this one Category covers everything! ◾ Another significant addition is the PLATFORM SECURITY (PR.PS) Category which largely pulls together key topics from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) focusing on security protections around broader platform types (hardware, software, virtual, etc.). If you’re looking for things like configuration management, maintenance, and SDLC – you’ll now find them here.  ◾ The TECHNOLOGY INFRASTRUCTURE RESILIENCE (PR.IR) Category pulls largely from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) as well, but also pulls in key aspects from Data Security (PR.DS). This new Category highlights the need for managing an organization’s security architecture and includes security protections around networks as well as your environment to ensure resource capacity, resilience, etc. So, what does all this mean for your organization? Whether you're just starting out, or you're looking to refine your existing cybersecurity strategies, CSF 2.0 offers a more streamlined framework to use to bolster your cyber resilience. Remember, staying ahead in cybersecurity is a continuous journey of adaptation and improvement. Embrace these changes as an opportunity to review and enhance your cybersecurity posture, leveraging the expanded resources and guidance provided by #NIST! Have you seen the updated mapping NIST released from v1.1 to v2.0? Check it out here to get started and “directly download all the Informative References for CSF 2.0” 👇 https://lnkd.in/e3F6hn9Y

There was enough power, but there wasn’t enough resilience. Last week’s Heathrow shutdown wasn’t just a power outage—it was an exposure. A transformer fire at the North Hyde substation took out electricity to the world’s second-busiest airport. The ripple effects were felt across global aviation, supply chains, and headlines. John Pettigrew, CEO of National Grid, says the other two substations serving Heathrow had enough capacity to keep the airport running. So why the closure? Because operational resilience isn’t just about capacity—it’s about design, systems, decision-making, and time. Heathrow’s CEO explained that they had to shut down thousands of systems and methodically reboot them to ensure safety. Backup generators existed—but only to cover critical safety systems, not full operations. Switching to alternate substations wasn’t instantaneous; reconfiguring and restoring took hours. This is a classic example of design resilience vs. lived resilience. We often assume that having backup available is enough. But in complex systems—airports, hospitals, data centers—it’s how quickly and safely that backup can be activated that defines true resilience. Other major airports have made resilience a priority: - JFK, New York – 110 MW gas-fired CHP plant enabling full microgrid operation during outages. - Frankfurt Airport – Redundant grid feeds, on-site gas turbine generation, and UPS systems. - Amsterdam Schiphol – Integrated energy management system with diesel and battery backup for essential systems. - Changi Airport, Singapore – Multiple grid connections, standby diesel generation, and automated switchgear. - Incheon International, South Korea – Dual-feed substations, backup diesel generators, and smart grid control. These airports understand that resilience isn’t a luxury—it’s a license to operate. This is the future of energy for critical infrastructure: - Decentralized - Redundant - Fast-switching - Integrated with grid and on-site systems. If Heathrow—despite being served by three substations—could still go dark for nearly 24 hours, the question isn’t who to blame. It’s what to build differently. Are we designing our infrastructure for availability, or for agility? Are we investing in energy systems that can recover, or just survive? Let’s make sure this isn’t just a red flag—it’s a redirection. #EnergyResilience #InfrastructureLeadership #FutureOfPower #CriticalInfrastructure #Heathrow #GridSecurity #Digitalisation #Electrification

Understanding IT Contingency Planning Information Technology (IT) contingency planning is vital in ensuring organizational resilience. It is a key component of a broader continuity strategy that integrates business operations, risk management, communication protocols, financial planning, and security measures. While each aspect functions independently, they form a cohesive framework to safeguard organizational stability. Contingency planning for IT systems involves creating backup solutions and recovery procedures to address potential risks—whether natural, technological, or human-induced. The National Institute of Standards and Technology (NIST) outlines a comprehensive seven-step approach in Special Publication 800-34 to guide organizations in developing effective contingency plans. From initial policy development and impact analysis to preventive measures, recovery strategies, and plan testing, each phase ensures robust preparedness. A critical part of this process is embedding recovery capabilities into system designs during their development lifecycle, ensuring readiness throughout implementation, operation, and eventual disposal phases. Key Elements of Effective IT Contingency Planning 1. Policy Creation: Establishing objectives, roles, responsibilities, and maintenance schedules. 2. Business Impact Analysis (BIA): This process involves identifying critical resources and setting recovery time objectives (RTOs). 3. Preventive Controls: To minimize risks, implement measures like uninterruptible power supplies (UPS) and frequent data backups. 4. Recovery Strategies: Designing plans to restore operations efficiently while considering budgetary constraints and system dependencies. 5. Plan Development: Document detailed procedures for recovery, aligned with organizational roles and system priorities. 6. Training and Testing: Preparing teams through exercises to ensure readiness and system reliability during disruptions. 7. Plan Maintenance: Regularly updating and validating the plan to reflect changing personnel, systems, and priorities. A well-crafted IT contingency plan is not just a response mechanism but a proactive strategy to maintain organizational resilience. By aligning technical recovery strategies with business continuity objectives, organizations can navigate disruptions effectively, protecting both operations and data integrity. How does your organization approach IT contingency planning? Let’s share insights and best practices! Be the Solution 🔒 | Secure Once, Comply Many ✅ #ITContingencyPlanning #BusinessContinuity #CyberResilience #RiskManagement #ITSecurity #DataRecovery #NISTGuidelines

On Wednesday at the National Press Club, I had the privilege of moderating a fireside chat to launch the Institute for Critical Infrastructure Technology (ICIT) report, "𝘉𝘶𝘪𝘭𝘥𝘪𝘯𝘨 𝘙𝘦𝘴𝘪𝘭𝘪𝘦𝘯𝘤𝘦 𝘵𝘰 𝘚𝘰𝘤𝘪𝘦𝘵𝘢𝘭 𝘙𝘪𝘴𝘬 𝘪𝘯 𝘢 𝘋𝘪𝘨𝘪𝘵𝘢𝘭𝘭𝘺 𝘊𝘰𝘯𝘴𝘰𝘭𝘪𝘥𝘢𝘵𝘦𝘥 𝘞𝘰𝘳𝘭𝘥." This timely report addresses the vulnerabilities posed by the increasing concentration of digital infrastructure in the hands of a few organizations—creating high-value targets for adversaries and amplifying risks of cascading failures. The report outlines a robust recommendation framework, the "Four Rs of Digital Resilience": 1️⃣ Resourcing: Advocating investments to diversify and strengthen digital systems. 2️⃣ Recovery: Establishing comprehensive disaster recovery plans to restore critical systems. 3️⃣ Rehearsal: Conducting regular cybersecurity drills to test readiness and coordination. 4️⃣ Response: Developing clear deterrence policies to protect against cyber exploitation. These actionable recommendations demand immediate attention and collaboration from government, public, and private sectors. Building resilience isn't only a technical effort—it's an obligation to protect our economy, security, and way of life from digital disruptions. A special thank you to Brett Freedman and Cory Simpson, the co-leads of this critical effort, for their vision and leadership in driving this task force of experts and publishing this timely report. Let’s collectively commit to these measures to secure our interconnected future. As the report emphasizes, resilience is no longer optional—it's a necessity. To download and read the full report, visit ICIT’s website. #CyberResilience #DigitalConsolidation #CriticalInfrastructure #SocietalRisk #RiskMitigation #CyberSecurityLeadership #PublicPrivatePartnerships Marene Allison Edna Conway Nick Andersen Ankur Sheth

Revisiting the System-of-Systems Approach: Resilient and Sustainable Infrastructure As I revisit material I’ve written over the years, including my earlier work on the system-of-systems approach, its relevance today is clearer than ever: Our critical infrastructures — power & energy, telecommunications, transportation, finance, and many more — are deeply interconnected, making them vital yet vulnerable. Failures in one system often cascade across others, disrupting economies and lives. Building resilience requires integrating technological innovation with ethical leadership and strategic investments. > Interconnected Challenges, Shared Solutions — Critical systems rely on each other. For instance: • Power plants use 40% of national water withdrawals for cooling, while water systems depend on electricity. • The 2003 Northeast Blackout disrupted rail, traffic, and fuel networks, illustrating cascading failures. • Hurricane Katrina’s levee breaches paralyzed emergency services and communication networks. A system-of-systems approach evaluates these interdependencies to prioritize risks and investments, ensuring reliability across sectors. > Real-World Examples of Resilience: • Minnesota’s Renewable Energy Leadership: Despite limited sunlight (4.5 hours/day), Minnesota leads in solar and microgrid projects. Renewable Energy Partners Inc (REP), where I serve as CTO, combines clean energy innovation with job training, creating opportunities in underserved communities while supporting local economies. • Stockholm’s Waste-to-Energy System: Converts 99% of municipal waste into energy, powering 60,000 homes. • Singapore’s Smart Nation Initiative: AI-driven monitoring protects energy grids, transit, and healthcare systems, reducing downtime. > Integrating Technology and Leadership: While technology drives solutions, human leadership ensures ethical, forward-looking decisions. REP exemplifies how clean energy programs can align sustainability with economic growth. Workforce initiatives like IBM’s SkillsBuild, which trained over 2 million people globally, close skill gaps in cybersecurity and energy. > Proactive Investments for Resilience — A system-of-systems approach provides tools for smarter investments: • Standardized Metrics: Compare and prioritize projects based on cost, impact, and resilience. • Sustainability Integration: Center renewable energy and waste reduction in infrastructure planning. • Global Collaboration: Frameworks like the EU’s Circular Economy Plan and U.S. cybersecurity efforts align responses to shared challenges. Critical infrastructures are the backbone of modern life. Strengthening them through a system-of-systems approach will prevent cascading failures, drive equitable growth, and ensure long-term sustainability. This demands integrating technology, ethical leadership, and inclusive workforce development to build a secure, resilient future. #Infrastructure #Cyber #Energy #Leadership #Minnesota #Resilience #USA