In early February, an unknown hacker remotely accessed a computer system at a water treatment plant in Florida and attempted to increase the amount of sodium hydroxide in the water supply to potentially dangerous levels.
An operator noticed the intrusion, but the incident shows the potential for harm when the cyber and physical worlds intersect. These cyber-physical systems introduce a new set of risks that few security and risk leaders have had to consider.
Download eBook: 2021 Top Priorities for Security and Risk Management Leaders
Although enterprise IT security is generally well-known and managed, cyber-physical systems challenge traditional security approaches. That’s because these systems process more than information; they manage and optimize physical outcomes, from individual processes to entire ecosystems.
In a recent Gartner survey, security and risk leaders ranked the Internet of Things (IoT) and cyber-physical systems as their top concerns for the next three to five years.
“Due to their very nature, cyber-physical systems face security threats unlike those affecting enterprise IT systems,” says Katell Thielemann, VP Analyst, Gartner. “They are typically used in operations or mission-critical environments where value is created for organizations, so attackers are increasingly targeting them.”
Expand your risk lens to cyber-physical systems
The term cyber-physical systems encompasses concepts such as IoT, smart city and systems created as a result of operational technology (OT) and IT convergence. By using the broader term, Gartner encourages security and risk leaders to think beyond IT security and develop security programs encompassing the entire spectrum of cyber-physical risk.
Gartner predicts that by 2025, 50% of asset-intensive organizations such as utilities, resources and manufacturing firms will converge their cyber, physical and supply chain security teams under one chief security officer role that reports directly to the CEO.
The risks are real
Some types of threats to cyber-physical systems go way back, for example, insider threats. In 2000, a disgruntled contractor manipulated SCADA radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia, to dump 800,000 liters of raw sewage into local parks.
More recently, ransomware attacks have brought down gas pipelines, halted logistics operations and disrupted steel production. GPS spoofing has affected ship navigation, and hackers accessed a casino’s high-stakes gamblers database through an aquarium.
Read more: How to Respond to a Supply Chain Attack
There are also emerging threats to look out for. 5G, for example, has many benefits such as faster communications, but security standards are complex and targeted attacks are likely to increase. Other emerging threat vectors include the unique risks presented by drones, smart grids and autonomous vehicles.
Plan for cyber-physical systems security
Start by documenting your organization’s business strategy, identifying the technology drivers and environmental trends that are unique to your enterprise, and mapping them to a broad view of cyber-physical risk.
Use “voice of the business” language to lay out a vision statement that directly links the security and risk profiles of your organization’s cyber-physical systems to business outcomes.
For example, a public utility’s vision for cyber-physical security could be:
“We will enable delivery of reliable, economical and high-quality electricity services by ensuring safe, resilient, compliant and secure operations from our processing facilities and transmission infrastructure all the way to the client.”
Then, follow a classic strategic planning process to formalize the vision into actions
“Unlike most IT cybersecurity threats, cyber-physical threats are of increasing concern because they could have a wide range of impacts, from mere annoyance to loss of life,” Thielemann says.