Alex - stock.adobe.com
Cyber-physical systems connect the digital and physical worlds. They can come in many forms, including industrial control systems, operational technology devices, IoT, and robotic and autonomous systems. As these systems connect to each other and to enterprise systems, however, they greatly expand the enterprise attack surface.
CPSes are increasingly targeted for cyber attacks for two main reasons. First, they underpin all critical infrastructure supporting national economic prosperity. Attacks on these systems often incorporate a national security dimension, as evidenced by attacks on a U.S. gas pipeline operator, the Ukrainian power grid and Belarusian railroads. Second, these systems underpin production and mission-critical systems for organizations in industries such as manufacturing, transportation, healthcare delivery and utilities. This makes them attractive targets for attackers attempting to demand ransomware payments to prevent shutdowns.
Security and risk management leaders face challenges updating their governance efforts to incorporate CPS security. As cybersecurity governance evolves beyond enterprise IT systems, security and risk leaders should follow a six-phase CPS security governance roadmap, learning from best practices from leading organizations.
Phase 1. Awareness
As a first step, CISOs must understand the existing security landscape for CPSes. When it comes to CPSes, safeguarding information is important but not enough. The very nature of connecting cyber systems with physical processes in production or mission-critical environments means ensuring safety and operational uptime are core design principles. This challenges typical IT risk tolerance determinations, bringing about the realization that most existing IT cybersecurity policies are inadequate and budgets are scattered. In addition, the rapidly evolving threat landscape creates urgency to start the process of discovery.
Spend time understanding the organization's business model and what metrics drive business leaders in operational or production environments. If uptime is paramount, for example, cybersecurity risk discussions need to align to that outcome. Start documenting who, if anyone, currently governs aspects of CPS security, such as risk tolerance, security controls and policies, and roles and responsibilities, in case of an incident.
Phase 2. Outreach, asset discovery and network topology mapping
This phase is where the process of discovery starts. CISOs may find no one oversees CPS security and no one has an accurate inventory of all CPSes in the enterprise. The larger, more complex and geographically dispersed an organization is, the more urgency to deploy specialized asset discovery and network topology tools.
With support from C-suite peers, establish a cross-functional steering committee with participation from IT, cybersecurity and various business units, such as engineering, process automation and supply chain management. Work with the steering committee to select CPS protection platform vendors and compare proof of value in a controlled production environment.
Phase 3. The 'Oh wow!' moment
In this phase, the breadth and depth of CPS security gaps become evident. The organization likely has more CPSes than anyone thought. CPSes may be discoverable on the internet, or OEMs are remoting in without established policies. Firewalls are misconfigured, open ports are everywhere and shift workers share passwords. Discovering these CPS security gaps sets the stage for remediation planning.
When reporting these findings to senior executives, translate the effect of cybersecurity gaps into business risk as you request their support and resources. Task the steering committee with defining baseline KPIs, metrics and minimal goals to achieve while planning risk mitigation efforts.
Phase 4. Firefighting
Cybersecurity remediation activities need to be prioritized, planned and funded. By now, the steering committee should be able to make tradeoffs between cyber-risk and business performance when it comes to prioritizing cybersecurity activities.
Prioritize remediation activities across sites, business lines and geographies based on criticality of potential exposure and potential business disruption in case of an attack. Adopt feasibility as a key principle when it comes to updating equipment while reducing risk. Clarity for roles and responsibilities is paramount and lays the foundation for further integration.
Phase 5. Integration
Once initial critical cybersecurity remediation efforts are completed, turn the focus to continuous monitoring and longer-term projects. Within the cybersecurity team, outputs from the deployed CPS protection platforms must be calibrated and fed into centralized IT cybersecurity tools. Across the business, shift the focus to cross-training cybersecurity resources, policies and budgets, as well as enhancing the steering committee's engagement and oversight.
Gradually feed CPS security monitoring data to centralized IT cybersecurity tools, such as SIEM; security orchestration, automation and response; and security operations center products and services. Ensure existing IT cybersecurity tools are not overloaded with feeds from CPS protection platforms. Careful calibration is also necessary to avoid an avalanche of false positives.
Update cybersecurity incident response processes to include CPS incidents. Define policies that take into consideration the wide range of production cadence. For example, the policy could be: "Have a recent backup," but each site would decide the backup age -- whether it should be a day, a week or six months. Ensure you have an updated communication tree with site contacts. It is unlikely business units let IT cybersecurity analysts make changes on the fly from afar, so local engineers are needed to investigate alerts.
Phase 6. Optimization
In this phase, the focus is on optimizing cybersecurity efforts for business resilience, operational differentiation and growth. Unlike IT cybersecurity platforms, CPS protection platforms collect continuous asset telemetry, performance and usage data that can be used by engineers, maintainers or asset operators. Sharing this information can open the door to business-led process improvement or cost control.
Run every new technology introduction as a controlled pilot exercise with representatives from both cybersecurity and business units. Develop a "trust but verify, remediate, mitigate or escalate" model. Production teams can deploy new technology, but they are responsible for their cybersecurity, which is monitored and reported transparently on dashboards. Failures to remediate are escalated.
Organize workshops to enable different teams to come together and discuss cybersecurity issues, and define future visions and plans. This not only leads to diversity of ideas, but also helps unite the two different worlds and expose people to issues and challenges experienced by others.
Leading organizations increasingly adopt a "look for similarities but acknowledge and respect differences" approach to IT and CPS security. This six-phased approach enables partnership across security and the business to ensure the most comprehensive approach, using innovative practices to adapt cybersecurity controls to business operational realities.
About the author
Katell Thielemann is an analyst at Gartner, focusing on risk and security of cyber-physical systems. Thielemann and other Gartner analysts will provide additional insights on securing CPSes at the Gartner Security & Risk Management Summit taking place June 5-7 in National Harbor, Md.