Each of us relies on organizations in critical sectors to supply goods and services that support our lives — from water, food, and shelter, to energy and fuel, to clothing and medicine, to transportation and healthcare, among others. While these items vary in purpose and value, the processes through which they are produced and provided share a key trait: They all involve physical systems that are being increasingly connected to the internet — and thus increasingly evolving into cyber-physical systems (CPS). Examples of CPS in critical sectors include:
Operational technology (OT) equipment such as programmable logic controllers (PLCs) that support critical processes in industrial environments. These systems are connected internally to workstations that can typically be accessed remotely for maintenance; other cyber components include industrial internet of things (IIoT) devices such as smart sensors. Digital transformation efforts driven by business or IT teams have also been known to inadvertently create connectivity between industrial and enterprise IT networks.
Medical imaging equipment such as MRI machines and CT scanners, as well as internet of medical things (IoMT) devices such as smart vitals monitors and infusion pumps that support critical care delivery in healthcare environments. These systems are usually connected to organizations' IT networks.
Highly interconnected CPS have become pervasive in industrial and healthcare environments over the past decade due to the clear benefits they can deliver, including driving innovation, resilience, sustainability, and better health outcomes, to name a few. But despite these benefits, CPS' underlying connectivity can also heighten exposure to risks. Many of the physical assets that underpin CPS in critical sectors are brownfield OT or medical devices designed years ago without security in mind because they were never intended to be connected to the internet. Now that more and more are, indeed, directly or indirectly connecting to the internet — they are vulnerable to cyber threats.
The serious risks posed by these threats have become harsh realities in recent years due to an uptick in highly destructive cyber attacks that have taken advantage of security weaknesses in CPS across all critical sectors. Among the many notable examples:
The WannaCry ransomware attack that fueled extensive shutdowns of healthcare systems, emergency services, and countless other organizations globally in 2017
The Norsk Hydro attack that resulted in more than $75 million in losses in 2019
The Colonial Pipeline attack that led to record-breaking fuel shortages in 2021
Eager to achieve the benefits of CPS while minimizing such risks, organizations in critical sectors are embracing what the market has deemed the default approach for securing CPS: highly specialized tools with deep domain expertise in specific devices from specific verticals. Such tools are effective at securing their respective devices — but what about other devices? For example, what if a hospital upgrades to smart security cameras (which are enterprise IoT, not IoMT, devices)? How about if an electric company installs smart air quality sensors (which, similarly, are enterprise IoT, not OT, devices)?
Both organizations would likely encounter deficiencies in their existing security tools because they were not designed for securing enterprise IoT, which encompasses everything from smart lighting systems and other BMS equipment, to security systems, to commercial appliances and even vending machines. While common applications for these types of devices tend to focus on comfort, convenience, or cost efficiency — and are thus usually deemed lower-risk and less-critical than their industrial or healthcare counterparts — securing them is just as crucial because they can still serve as entry points into higher-risk, more-critical environments.
The 2017 hack of a casino via an IoT device in a lobby aquarium is among many well-known examples of this. The device — which allowed the fish tank to be maintained remotely — contained a vulnerability that attackers exploited as a stepping stone from which to penetrate the casino's internal database and ultimately compromise more than 10 gigabytes of proprietary personal and payment data from top patrons.
Enterprise IoT technology has come a long way in the years following the casino aquarium breach, and its adoption has since skyrocketed. This trend persists across both critical and non-critical sectors, driving more connectivity than ever before between the cyber and physical worlds spanning industrial, healthcare, and enterprise environments: The Extended Internet of Things (XIoT).
Naturally, with this even greater connectivity comes even greater exposure to risks that appear to be swiftly escalating. Not only have ransomware attacks affecting CPS in all sectors reached record-breaking highs in 2021, but 82% of healthcare systems have reported IoT cyber attacks in just the last 18 months. In response, a surge of new security regulations has emerged from policymakers globally, urging — if not mandating — organizations to take action. The challenge is, organizations really only have two existing options to secure the XIoT, and neither is ideal:
Continue to use disparate, specialized tools to secure the connected devices in their industrial, healthcare, and/or enterprise networks separately. This approach inevitably creates costly management overhead and fails to provide holistic visibility into risks.
Attempt to use existing IT security tools. This approach fails because IT security tools are not only technically and fundamentally incompatible with the protocols and workflows used by CPS — but in many cases, they cannot even identify them to begin with.
These conditions make it abundantly clear that organizations need a new approach for securing this ever-expanding universe of the XIoT. The ideal solution is a truly unified platform fueled by:
Broad domain knowledge of the physical systems and workflows that underpin each vertical and environment in which all manner of CPS are connected
Deep capabilities, including full-spectrum visibility, exposure management, threat detection, and secure access controls — all of which should also integrate seamlessly with an organization's existing technology stack
No single solution like this exists today. Recognizing the serious risks and challenges incited by this gap, Claroty is deeply committed to addressing it.
To that end, our mission is to secure cyber-physical systems of connected organizations. The first step to achieving this mission has always been to empower our customers to succeed in securing their industrial environments — and we have. I can confidently say that Claroty is a proven leader in industrial cybersecurity, and here's why:
The Claroty Platform is deployed across thousands of sites and trusted by hundreds of organizations worldwide.
Claroty was named a leader with the top-scored current offering in The Forrester Wave™: Industrial Control System (ICS) Security Solutions, Q4 2021.
The next step to achieving our mission is something we have completed today. I am proud to share that Claroty has secured $400 million in Series E funding and are acquiring Medigate, whose leadership in healthcare and IoT security, as well as clinical asset management, is clear. Specifically:
Medigate is the first company to recognize — and address — the critical need for healthcare IoT security.
Medigate was named 2021 Best in KLAS for Healthcare IoT Security in the KLAS Software & Services Report.
Together, Claroty and Medigate will combine our deep domain expertise and specialized technologies into a single platform that will extend across all types of CPS and connected devices to secure the XIoT.
I would like to extend a warm welcome to the Medigate team and look forward to working together towards our combined vision: a future where cyber and physical worlds safely connect to support our lives.
Top 5 Reasons You Need a Device Security Partner
Claroty Technology Alliance Program Enables Effective Network Policy Enforcement for the XIoT
CISA’s CPGs: Guidance into XIoT Cybersecurity Leadership and Governance