3 Planning Assumptions for Securing Cyber-Physical Systems of Critical Infrastructure

February 08, 2022

Contributor: Robert Snow

It’s more important than ever for CIOs and cybersecurity leaders to be vigilant and consider these projections.

In short:

  • Concerns for the security of cyber-physical systems (CPS) in critical infrastructure are growing.
  • The risks are significant and real. Attacks can be catastrophic, but may go unnoticed for years as attackers wait to strike. Therefore, governments worldwide are mandating more security controls for mission-critical cyber-physical systems. 
  • Security and risk management leaders can lean on Gartner predictions to plan ahead for potential risks.

The risks are significant and real. Attacks on organizations in critical infrastructure sectors have risen dramatically, from less than 10 in 2013 to almost 400 in 2020. That’s a 3,900% increase.

The impact can also be lethal, and yet incursions can easily go unnoticed. It’s not surprising, then, that governments worldwide are mandating more security controls for mission-critical cyber-physical systems. 

Download now: 3 Must-Haves in Your Cybersecurity Incident Response Plan

The crux of the problem is that traditional network-centric, point solution security tools are no longer sufficient to combat the speed and complexity of today’s cyberattacks. This is particularly the case as operational technology (OT), which connects, monitors and secures industrial operations (machines), continues to converge with the technology backbone that processes the organization’s information (information technology).

“Over time, the technologies that underpin critical infrastructure have become more digitized and connected to enterprise IT systems and sometimes to each other, creating cyber-physical systems,” says Gartner VP Analyst Katell Thielemann. “CPS are composed of both legacy infrastructure deployed years ago without built-in security and new assets, which are also deployed full of vulnerabilities.”

This evolution leaves all CPS at significant risk of attack by hackers and bad actors of all kinds, including CPS that forms the foundation of critical infrastructure. 

Download now: Cybersecurity Companies That Offer Innovative Solutions

What is critical infrastructure?

In the United States, 16 sectors, including commercial facilities, communications, energy, financial services, and water and wastewater systems, have been deemed critical infrastructure. Other countries have identified similar sectors.

Not only is each of these sectors critical to the proper functioning of modern societies, but they are also interdependent, and an attack on one can have a direct impact on others.

In many countries, critical infrastructure is state-owned, while in others like the U.S., private industry owns and operates a much larger portion of it.

Read more: Your Guide to Cybersecurity

16 Critical Infrastructures in the U.S.

Three cyber-physical systems predictions to consider

CPS in critical infrastructure is too new an area in which to develop highly accurate security predictions, but Gartner’s strategic planning assumptions raise awareness of important scenarios that can help you consider and prioritize security initiatives.

Here are three, and the related actions required.

No.1: By 2024, a cyberattack will so damage critical infrastructure that a member of the G20 will reciprocate with a declared physical attack.

Action: Coordinate closely with military leaders who will soon be involved in defense of private enterprises (for example, by establishing responsibility for that coordination).

No. 2: By 2024, 80% of critical infrastructure organizations will abandon their existing siloed security solutions providers by adopting hyperconverged solutions to bridge cyber-physical and IT risks.

Action: Accelerate the convergence of the CPS security stack, and bolster strategies to mitigate risk by evaluating suppliers of critical infrastructure devices and software against best-of-breed product security features.

No. 3: Through 2026, less than 30% of U.S. critical infrastructure owners and operators will meet newly mandated government security requirements for cyber-physical systems.

Action: Develop an adequate CPS security strategy by deploying a holistic approach in which OT, the Internet of Things (IoT), industrial IoT and IT security are managed in a coordinated effort, not in isolation. Also identify and fill gaps in capabilities, and invest in threat intelligence support.

Recommendations for cybersecurity leaders 

The key is to develop a holistic, coordinated CPS security strategy while also incorporating into governance emerging security directives for critical infrastructure. The “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” for example, is prioritizing the electricity and natural gas pipeline sectors, followed by the water/wastewater and chemical sectors in the U.S.

Equally important is conducting a complete inventory of OT/IoT security solutions used within your organization, as well as performing an evaluation of standalone or multifunction platform-based security options to further accelerate CPS security stack convergence.

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

Recommended resources for Gartner clients*:

Predicts 2022: Cyber-Physical Systems Security — Critical Infrastructure in Focus

Facing New Vulnerabilities — Cyber-Physical Systems Mandate Changes to Traditional IT Governance

Quick Answer: Emerging Regulations, Standards and Frameworks for Cyber-Physical Systems Security

Facing New Threats — Cyber-Physical Systems

How to Develop a Security Vision and Strategy for Cyber-Physical Systems

*Note that some documents may not be available to all Gartner clients.