Subscribe to our Newsletter!
By subscribing to our newsletter, you agree with our privacy terms
Home > IT Monitoring > Cyber-physical systems challenge traditional approaches to security and risk
August 19, 2021
While IAM, network and endpoint security, application and data security, cloud security, and security operations are “priorities” for most security and risk management (SRM) leadership, they are not enough. As systems that interact with the physical world connect to cyber environments, Cyber-Physical Systems (CPS) are created and begin to challenge traditional security and risk approaches.
Cyber-Physical Systems (CPS) are integrations of computing, networking, and physical processes. Embedded computers and networks monitor and control physical processes, with feedback loops where physical processes affect computations and vice versa.
In practice, CPSs are great “umbrellas” for other concepts such as:
Therefore, the economic and social potential of PSCs is much greater than has been realized, and major investments are being made around the world to develop the technology.
Through these systems, companies have the opportunity to represent the reality of the physical world in digital environments. And, thus, carry out simulations, tests, wear and tear predictions, among many other possibilities that technology offers. This can represent significant gains in competitiveness for the business.
Today, the sectors that have benefited most from the creation of cyber-physical systems are those involving large infrastructures and costly operations, such as the oil and gas industry, power generation (power plants, dams, wind turbines, solar, etc.), distribution (transmission lines), aviation, heavy metal mechanics, among others, but also those producing critical goods and services, which must be very careful in analyzing their risks. Failures, when they occur in these sectors, imply significant losses or even loss of life.
From a security or privacy perspective, a cyber-physical (multi-agent) system is a network of sensors, actuators, and compute nodes, i.e. a system with multiple attack surfaces and latent exploits that originate through software attacks and physical attacks.
Many cyber-physical systems are part of the Internet of Things, which presents a major attack vector. IoT devices need to implement security before design. The focus should be placed on elementary access control, proper communication, and authentication, and validation of the lack of known vulnerabilities in the device before it is sold and used.
Care must be taken to ensure the security of the networks to which the Cyber-Physical Systems belong. This would include security audits, penetration testing, constant monitoring of what is happening to the network, and keeping the systems up to date.
Continually discovering, monitoring, assessing, and prioritizing risks, both proactively and reactively, across the cyber-physical continuum is a priority for security and risk management (SRM) professionals. Concerns about physical perimeter breaches, jamming, hacking, spoofing, tampering, command intrusion, denial of service (DoS), or malware deployed on physical assets need to be taken into consideration.
This assumes instrumenting the CPS infrastructure for full and comprehensive risk visibility of as many systems as possible along the cyber-physical continuum – network, access, identities, etc. – and monitor CPS solutions, even if visibility is limited to logs or network traffic.
Today, modern network mapping tools, for example, are already commonplace in all professional network deployments and help system administrators keep track of everything that is important to them. They provide, for example, basic information about which devices are on a particular network, what their addresses are, which other components they communicate with directly (and when), which communication methods they use to do so, and much more. An up-to-date network view-whether it’s called a network graph, map, or diagram-is indispensable to secure CPS solutions.
Some types of threats to cyber-physical systems are very old. Especially in the case of insider threats. In 2000, for example, a disgruntled contractor rigged the SCADA radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia, to dump 800,000 liters of raw sewage into local parks.
More recently, ransomware attacks have taken down pipelines, disrupted logistics operations, and even steel production… Someone hacked into the control system of a water treatment plant in Florida, USA, and tried to add potentially dangerous amounts of sodium hydroxide to the water supply. A GPS spoof affected ship navigation and hackers accessed a casino’s database of high-risk gamblers through a fishbowl.
There are also emerging threats to watch out for. 5G, for example, has many benefits such as faster communications, but security standards are complex and targeted attacks are likely to increase. Other emerging threat vectors include the unique risks posed by drones, smart grids, and autonomous vehicles.
Gartner predicts that the financial impact of CPS attacks resulting in fatalities will reach more than $50 billion by 2023. Even without taking into account the value of human life, the costs to organizations in terms of compensation, litigation, insurance, regulatory fines, and loss of reputation will be significant.
Not coincidentally, in the consultancy’s projections, by 2023, 75% of organizations will restructure risk and security governance to address new CPS and converged IT, OT, Internet of Things (IoT), and physical security needs.
In the report “How to develop a security vision and strategy for cyber-physical systems” Gartner provides a detailed strategic plan to formalize this process, which highlights 7 crucial steps to ensure managers emerge with the best possible CPS strategy:
To create a CPS strategy that supports resilience and business growth goals in today’s rapidly evolving environments, security and risk leaders need to follow these steps:
September 29, 2023
August 31, 2023
August 11, 2023
July 20, 2023
July 17, 2023
June 21, 2023
April 29, 2023
April 28, 2023
Previous
Popularity of monitoring as a service grows
Next
Network monitoring and remote working, like Pb&J