Rick Holmes, assistant VP and CISO at Union Pacific Railroad, detailed at InfoSec World 2020 how the transportation giant incorporates cybersecurity risk into its larger enterprise risk management process in order to help senior executives estimate losses caused by potential cyber incidents and make better decision on where to invest in defenses.
“We think that we’ve gotten there – that we can say over time how well we’re managing risk to the enterprise,” said Holmes.
Headquartered in Ohama, Nebraska, Union Pacific runs freight trains across 23 states spanning the western two-thirds of the United States. Its approximately 7,700 locomotives chug along roughly 32,200 miles of tracks, serving around 10,000 customers.
Union Pacific’s cyber risk framework is based primarily on the concept of preserving the availability of 26 key businesses processes that keep the business running and trains safely operating on schedule. These include dispatching trains, processing customer orders and procuring supplies. These processes are, in turn, supported by 36 critical applications and over 200 supporting infrastructure items.
“We really do monitor these…
