In early February, an unknown hacker remotely accessed a computer system at a water treatment plant in Florida and attempted to increase the amount of sodium hydroxide in the water supply to potentially dangerous levels.
An operator noticed the intrusion, but the incident shows the potential for harm when the cyber and physical worlds intersect. These cyber-physical systems introduce a new set of risks that few security and risk leaders have had to consider.
Cyber-physical systems face security threats unlike those affecting enterprise IT systems.
Although enterprise IT security is generally well-known and managed, cyber-physical systems challenge traditional security approaches. That is because these systems process more than information; they manage and optimise physical outcomes, from individual processes to entire ecosystems.
In a recent Gartner survey, security and risk leaders ranked the Internet of Things and cyber-physical systems as their top concerns for the next three to five years.
Due to their very nature, cyber-physical systems face security threats unlike those affecting enterprise IT systems. They are typically used in operations or mission-critical environments where value is created for organisations, so attackers are increasingly targeting them.
The term cyber-physical systems encompass concepts such as IoT, smart city and systems created as a result of operational technology and IT convergence. By using the broader term, Gartner encourages security and risk leaders to think beyond IT security and develop security programs encompassing the entire spectrum of cyber-physical risk.
Cyber-physical systems are used in operations where value is created for organisations.
Gartner predicts that by 2025, 50% of asset-intensive organisations such as utilities, resources and manufacturing firms will converge their cyber, physical and supply chain security teams under one chief security officer role that reports directly to the CEO.
Some types of threats to cyber-physical systems go way back, for example, insider threats. In 2000, a disgruntled contractor manipulated SCADA radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia, to dump 800,000 liters of raw sewage into local parks.
Cyber-physical systems encompass IoT and smart city created from convergence of operational technology and IT.
More recently, ransomware attacks have brought down gas pipelines, halted logistics operations and disrupted steel production. GPS spoofing has affected ship navigation, and hackers accessed a casino’s high-stakes gamblers database through an aquarium.
There are also emerging threats to look out for. 5G, for example, has many benefits such as faster communications, but security standards are complex and targeted attacks are likely to increase. Other emerging threat vectors include the unique risks presented by drones, smart grids and autonomous vehicles.
Risk leaders need to think beyond IT security and develop security programs encompassing cyber-physical risk.
Start by documenting your organisation’s business strategy, identifying the technology drivers and environmental trends that are unique to your enterprise, and mapping them to a broad view of cyber-physical risk.
Use voice of the business language to lay out a vision statement that directly links the security and risk profiles of your organisation’s cyber-physical systems to business outcomes.
For example, a public utility’s vision for cyber-physical security could be:
We will enable delivery of reliable, economical and high-quality electricity services by ensuring safe, resilient, compliant and secure operations from our processing facilities and transmission infrastructure all the way to the client.
Then, follow a classic strategic planning process to formalise the vision into actions
Unlike most IT cybersecurity threats, cyber-physical threats are of increasing concern because they could have a wide range of impacts, from mere annoyance to loss of life.
Faced with growing threats to critical assets, organisations need to expand security programs to encompass cyber-physical systems.