By Katell Thielemann, analyst at Gartner
In early May, a large gas pipeline operator in the U.S. announced that it had been affected by a ransomware attack, disrupting operations for days afterwards. As a result, gas stations around the country saw rising prices and high demand as consumers grew concerned about the impact of the cyberattack on their ability to fuel their vehicles.
A mere two weeks later, U.S. meat production was halted due to another ransomware attack.
While operations have since returned to normal, this incident shows the potential for harm when the cyber and physical worlds intersect. These cyber-physical systems (CPS) introduce a new set of risks that few security and risk leaders have had to consider so far, but many will in the near future.
Although enterprise IT security is generally well-known and managed, CPS challenges traditional security approaches because they process more than information; they manage and optimize physical outcomes, from individual processes to entire ecosystems.
In a recent Gartner survey, security and risk leaders ranked the Internet of Things (IoT) and CPS as their top concerns for the next three to five years. Due to their very nature, CPS face security threats unlike those affecting enterprise IT systems. They are typically used in operations or mission-critical environments where value is created for organizations, so attackers are increasingly targeting them.
Faced with growing threats to critical assets, here are the steps that security and risk leaders can take to secure their organization’s CPS.
Expand your risk lens to CPS
The term cyber-physical systems encompasses concepts such as IoT, smart city and systems created as a result of operational technology (OT) and IT convergence. By using the broader term, security and risk leaders are encouraged to think beyond IT security and develop security programs encompassing the entire spectrum of cyber-physical risk.
Gartner predicts that by 2025, 50% of asset-intensive organizations such as utilities, resources and manufacturing firms will converge their cyber, physical and supply chain security teams under one chief security officer role that reports directly to the CEO.
Some types of threats to CPS go way back, for example, insider threats. In 2000, a disgruntled contractor manipulated SCADA radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia, to dump 800,000 litres of raw sewage into local parks.
More recently, ransomware attacks have brought down local infrastructure, halted logistics operations and disrupted steel production. GPS spoofing has affected ship navigation, and hackers accessed a casino’s high-stakes gamblers database through an aquarium thermometer.
There are also emerging threats to look out for. 5G, for example, has many benefits such as faster communications, but security standards are complex and targeted attacks are likely to increase. Other emerging threat vectors include the unique risks presented by drones, smart grids and autonomous vehicles.
Plan for CPS security
Unlike most IT cybersecurity threats, cyber-physical threats are of increasing concern because they could have a wide range of impacts, from mere annoyance to loss of life. Planning for CPS security is critical for mitigating such threats.
Start by documenting your organization’s business strategy, identifying the technology drivers and environmental trends that are unique to your enterprise and mapping them to a broad view of cyber-physical risk.
Use “voice of the business” language to lay out a vision statement that directly links the security and risk profiles of your organization’s CPS to business outcomes. This will create the foundation for a fresh revisit of the purpose of the risk and security function as a business enabler, and appropriately expand the risk, threat and vulnerability lens to a broader cyber-physical continuum.
For example, a public utility’s vision for cyber-physical security could be: “We will enable the delivery of reliable, economical and high-quality electricity services by ensuring safe, resilient, compliant and secure operations from our processing facilities and transmission infrastructure all the way to the client.”
Then, follow a classic current-state assessment, gap analysis, prioritization, approval and reporting process flow to formalize the vision into actions. This will create a fact-based business case approach that will help purposefully rally the organization behind common objectives.
Finally, monitor and adapt the strategy continuously to account for emerging risk impacts, such as regulations, the increasing autonomy of users and business units, changes in technologies, or changes in supply chain security profiles.
This will help the enterprise move toward a Continuous Adaptive Risk and Trust Assessment (CARTA) view of security and risk management, continuously monitoring and adapting as situations evolve.
===
Katell Thielemann is a research vice-president at Gartner, Inc. focusing on risk and security of cyber-physical systems. Gartner analysts will provide the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summit 2021, taking place September 20-22 in Orlando, FL.
