Kerstin Weinert speaking on a stage and explaining Business Continuity Management in front of a presentation slide.
9 min read

“Cyber attacks are the main threat that we constantly face.”

 
Cyber attacks, power cuts, supply shortages – emergencies can take many forms. Kerstin Weinert is in charge of Business Continuity Management at KSB. In our interview, she explains how she helps the company to prepare for crisis scenarios, ensuring KSB remains a safe place to work and a reliable partner in every situation. 
Stream of Stories: : In 2022, KSB was the target of a cyber attack, which proved to be a seminal moment for the company. What was your experience of this incident?
Kerstin Weinert: I found out via internal chat groups that something was going on. The cyber attack was detected by our security tools and it quickly became clear that this was a serious attack. My impression was that everything was being dealt with in a very organised and calm manner and that operations were resumed in a structured way: KSB disconnected itself from the Internet; passwords were reset; servers were shut down and only brought back online in a phased manner after they had been checked. We have many experienced and diligent members of staff and received excellent guidance from an external IT forensics company. Luckily, we had disconnected ourselves from the Internet in time, which meant we were able to avoid untold damage, such as encryption of our data. This helped to significantly mitigate the situation.
What lessons has KSB learnt from this attack? 
It showed us just how vulnerable we are as a company. After the attack, we implemented a comprehensive programme to strengthen information security and establish a Business Continuity Management System for IT. In other words, this is a Management System designed to ensure that normal operations are rapidly restored in the event of an emergency. At the same time, we also had the idea of setting up a Business Continuity Management System for non-IT-related crisis situations, such as supply chain disruptions or natural disasters. This is naturally something which requires project management and my profile was a good fit for the topic. I worked in nuclear sales and engineering for many years – a high-security environment where you automatically think in terms of risk and failure scenarios. It sounded so interesting that I decided to move into Business Continuity Management. 
Business Continuity Management probably sounds rather abstract at first to many readers. What does your daily work involve exactly?
My work basically involves drawing up a business continuity plan – in other words, an emergency plan that sets out who needs to do what and how in the event of an emergency. For us, however, Business Continuity Management is about more than that: We want to set up everything as a proper Management System. This means providing a framework for Business Continuity Management– i.e. processes, roles, methodologies and content – to ensure its effectiveness and to continuously improve this. KSB already has established, audited and certified Management Systems that comply with ISO standards. Well-known parts of this integrated Management System include the Management Systems for quality, occupational health and safety, and the environment as well as the recently introduced energy Management System. We also intend to integrate Business Continuity Management and information security into this structure, as it makes good sense from both an organisational and methodological perspective. 

The business continuity manager: Kerstin Weinert

Kerstin Weinert is spearheading the development of Business Continuity Management (BCM) at KSB – with the clear objective of ensuring the company remains operational even in exceptional circumstances. Prior to this, she spent many years working in nuclear sales and engineering, and now draws on this experience to help make KSB resilient to IT outages, natural disasters and supply chain disruptions. When she isn’t working on future-proofing the company, she can often be found in the kitchen, engrossed in a crime novel or outside with her two daughters’ horses. 
Portrait photograph of Kerstin Weinert
What are the main scenarios you are preparing for?
Cyber attacks are de facto the main threat that we constantly face. I also see natural disasters as a major risk, as they can put entire factories out of operation. At the KSB plant in La Roche-Chalais, France, for example, a hailstorm in 2022 caused extensive damage to large parts of the facility. We had a similar situation in the USA in 2024 when a hurricane appeared in an area where one had never occurred before. Even if such storms do not cause large-scale damage to a plant, they can still lead to power cuts and other significant damage that bring public life to a standstill, which means the factory will also no longer be able to produce anything. But it doesn’t always have to be a natural disaster: In South Africa, for example, the electricity company simply cuts off the power from time to time. I also see supply chains as being very critical at the moment. An unexpected lack of staff is another scenario for which we need to be prepared. In Dubai, we recently found ourselves in a situation where employees were advised to stay in safe areas due to the security threat posed by the war with Iran. Last but not least, we are all very familiar with the effects of a pandemic.
How far along are you with implementing this? 
We’ve already made a lot of progress with the framework. Now we are focusing on the content. The first step was to develop the content using a business impact analysis. We examined all of our global process chains and then conducted interviews with employees following a set of guidelines. Key questions included, for example: Are there any IT systems or applications that you urgently need and cannot work without? How long do you think you can work without an ERP system? Are there people who are so important that the entire process grinds to a halt if they don’t come to work in the morning? This gave us an initial overview of the key process chains, providing the basis for us to now define specific contingency measures and develop ‘Plan B’ scenarios. 
A warehouse in La Roche-Chalais damaged by hail, with holes in the ceiling, water on the floor and debris everywhere

A KSB warehouse in La Roche-Chalais damaged by hail: holes in the ceiling, water on the floor and debris everywhere reflect the scale of damage. 

How do you ensure that the business continuity plan doesn’t just wind up in a cupboard gathering dust?  
Implementing it as a Management System ensures that regular reviews and audits are conducted to keep the plan up to date. We also need to carry out regular training exercises. After the cyber attack, we started training for IT emergencies: We appointed an emergency response team, invited the relevant people to take part in drills and confronted them with realistic scenarios, such as various anomalies occurring in the systems. We then watched from the sidelines to see how they dealt with the situation and the information. Did they follow the steps we had set out earlier? Did they call the colleagues they were supposed to call? Their initial reactions varied greatly. Even in training situations, people’s adrenaline levels rise. But it is precisely this stress that is needed, because real-life situations also induce stress. And with each exercise, the participants became more relaxed. The more you practise, the more confident you become that you are reacting the right way in such situations. So practise, practise, practise! 
Will you be rolling out Business Continuity Management globally as well? 
We are starting centrally in Germany, but of course our aim is to introduce Business Continuity Management worldwide, particularly within our production companies. However, I should emphasise that there are companies within the Group that already have extensive precautions in place. In countries where power cuts or supply disruptions are more common, our companies have, of course, been preparing for emergencies for a long time. For example, our company in South Africa has emergency power generators, water, spare parts stocks and redundant systems at the ready just in case. This is exactly what we want to build on: learning from one another, sharing solutions and avoiding unnecessary duplication of work. Our task is therefore also to strengthen the networking between these companies and to establish a platform for exchange so that best practices can be quickly made available to others. 
Business Continuity Management does not generate any sales revenue. Is it therefore sometimes difficult to get the necessary attention from Management? 
Management is very much on board, as the security and resilience of the company have long been a management priority for KSB. The reliability of supply chains is also an increasingly important concern for our customers as well. Business Continuity Management adds value, at least indirectly, because it strengthens our customers’ trust and loyalty. We also have to comply with regulations, such as the NIS 2 Directive, which requires companies above a certain size to implement mandatory cyber security measures. Investing in Business Continuity Management is essentially a cost-benefit decision: Which risks are we prepared to accept, and which risks are we not – and what does it cost to reduce risks? To weigh this up, the risks and costs must be clearly laid out. We make this clear using Business Continuity Management methodologies. 
Does the issue of risk concern you in your private life too – have you become a ‘prepper’ who prepares for emergencies at home?
We have indeed started to take a more proactive approach to being prepared for emergencies at home as well. By using solar power and geothermal energy, we are already very self-sufficient. We are also in the process of stocking up the basement with enough supplies to last two or three weeks and have bought additional torches. Maybe we’ll drill a well in the garden, too. You never know when you might need it! 

This may also be of interest to you