Cyber-physical systems challenge traditional approaches to security and risk

Cristina De Luca -

August 19, 2021

While IAM, network and endpoint security, application and data security, cloud security, and security operations are “priorities” for most security and risk management (SRM) leadership, they are not enough. As systems that interact with the physical world connect to cyber environments, Cyber-Physical Systems (CPS) are created and begin to challenge traditional security and risk approaches.

Cyber-Physical Systems (CPS) are integrations of computing, networking, and physical processes. Embedded computers and networks monitor and control physical processes, with feedback loops where physical processes affect computations and vice versa. 

In practice, CPSs are great “umbrellas” for other concepts such as:

Therefore, the economic and social potential of PSCs is much greater than has been realized, and major investments are being made around the world to develop the technology.

Through these systems, companies have the opportunity to represent the reality of the physical world in digital environments. And, thus, carry out simulations, tests, wear and tear predictions, among many other possibilities that technology offers. This can represent significant gains in competitiveness for the business.

Today, the sectors that have benefited most from the creation of cyber-physical systems are those involving large infrastructures and costly operations, such as the oil and gas industry, power generation (power plants, dams, wind turbines, solar, etc.), distribution (transmission lines), aviation, heavy metal mechanics, among others, but also those producing critical goods and services, which must be very careful in analyzing their risks. Failures, when they occur in these sectors, imply significant losses or even loss of life.

Security perspective

From a security or privacy perspective, a cyber-physical (multi-agent) system is a network of sensors, actuators, and compute nodes, i.e. a system with multiple attack surfaces and latent exploits that originate through software attacks and physical attacks.

Many cyber-physical systems are part of the Internet of Things, which presents a major attack vector. IoT devices need to implement security before design. The focus should be placed on elementary access control, proper communication, and authentication, and validation of the lack of known vulnerabilities in the device before it is sold and used.

Care must be taken to ensure the security of the networks to which the Cyber-Physical Systems belong. This would include security audits, penetration testing, constant monitoring of what is happening to the network, and keeping the systems up to date.

Continually discovering, monitoring, assessing, and prioritizing risks, both proactively and reactively, across the cyber-physical continuum is a priority for security and risk management (SRM) professionals. Concerns about physical perimeter breaches, jamming, hacking, spoofing, tampering, command intrusion, denial of service (DoS), or malware deployed on physical assets need to be taken into consideration.

This assumes instrumenting the CPS infrastructure for full and comprehensive risk visibility of as many systems as possible along the cyber-physical continuum – network, access, identities, etc. – and monitor CPS solutions, even if visibility is limited to logs or network traffic.

Today, modern network mapping tools, for example, are already commonplace in all professional network deployments and help system administrators keep track of everything that is important to them. They provide, for example, basic information about which devices are on a particular network, what their addresses are, which other components they communicate with directly (and when), which communication methods they use to do so, and much more. An up-to-date network view-whether it’s called a network graph, map, or diagram-is indispensable to secure CPS solutions.

Some types of threats to cyber-physical systems are very old. Especially in the case of insider threats. In 2000, for example, a disgruntled contractor rigged the SCADA radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia, to dump 800,000 liters of raw sewage into local parks.

More recently, ransomware attacks have taken down pipelines, disrupted logistics operations, and even steel production… Someone hacked into the control system of a water treatment plant in Florida, USA, and tried to add potentially dangerous amounts of sodium hydroxide to the water supply. A GPS spoof affected ship navigation and hackers accessed a casino’s database of high-risk gamblers through a fishbowl.

There are also emerging threats to watch out for. 5G, for example, has many benefits such as faster communications, but security standards are complex and targeted attacks are likely to increase. Other emerging threat vectors include the unique risks posed by drones, smart grids, and autonomous vehicles.

Gartner predicts that the financial impact of CPS attacks resulting in fatalities will reach more than $50 billion by 2023. Even without taking into account the value of human life, the costs to organizations in terms of compensation, litigation, insurance, regulatory fines, and loss of reputation will be significant.

Not coincidentally, in the consultancy’s projections, by 2023, 75% of organizations will restructure risk and security governance to address new CPS and converged IT, OT, Internet of Things (IoT), and physical security needs.

In the report “How to develop a security vision and strategy for cyber-physical systems” Gartner provides a detailed strategic plan to formalize this process, which highlights 7 crucial steps to ensure managers emerge with the best possible CPS strategy:

  • Vision Statement: Organizations should create vision statements that are concise, clear, relevant, and goal-oriented. These statements should incorporate individual company goals and consider technology/environmental trends specific to the market and its unique risks.
  • Current State Assessment: Organizations should gain insight into the situation by reaching out to anyone involved in the CPS to ask questions. These questions, which may cover risk, compliance, decision making, etc. will identify any improvements that need to be made.
  • Gap Analysis: According to Gartner, ‘the gap analysis should focus on culture, governance, skills, and business impact analysis and should act as a bridge between the vision statement and current state assessment. This step should be thought of as an overarching strategic shift rather than small tactical changes and should lay a solid foundation for future decisions.
  • Prioritization: After identifying the tasks that must be completed, prioritization is a crucial next step. Gartner recommends splitting these activities into 2 groups: activities that SRM leaders can complete on their own, and activities that would require organizational investment.
  • Approvals: For the activities that require buy-in from the organization, approvals are necessary. To obtain these approvals, it is important to outline the rationale, organize the approach, engage with stakeholders before presenting to senior management.
  • Reporting: Reporting is an extremely important step in maintaining an effective CPS strategy, and according to Gartner, should focus on measuring “safety, operational resilience, physical security or supply-chain-security measures”.
  • Continuous monitoring: As outlined above, the security and risk management landscape is always changing. New things risks are coming up every day, which means that no security strategy is flawless. This fact is what makes continuous monitoring and adjusting to changes so important.

Conclusion

To create a CPS strategy that supports resilience and business growth goals in today’s rapidly evolving environments, security and risk leaders need to follow these steps:

  • Lay out a vision and strategy that directly links security and risk profiles to business outcomes.
  • Follow a classic current-state assessment, gap analysis, prioritization, approval, and reporting process flow to formalize the vision into actions.
  • Monitor and adapt the strategy continues to account for emerging risk impacts, such as regulations, the increasing autonomy of users and business units, or changes in technologies.