We’ve spent two decades connecting things to the internet, but only relatively recently have those things had a direct link to the physical world. Direct links now include patient monitoring in hospitals, smart electric grids, autonomous cars, process control systems, and much more.
Bringing these smart, efficient, connected cyber-physical systems (CPS) to market has resulted in improved operations, resilient, reliable systems, and a deeper understanding of the physical things they control. Given that these systems today sustain our lives, they also have newfound value to criminals and state-actors interested in profit and disruption.
Ransomware actors and extortionists target critical infrastructure sectors that keep the lights on, our homes warm, and the water clean. They threaten to impede services and create public panic in order to collect a ransom demand. State actors, meanwhile, can meet geopolitical ends by targeting cyber-physical systems with advanced malware and exploiting vulnerabilities that have not yet been disclosed.
Unquestionably, the security of cyber-physical systems is a growing imperative among critical infrastructure operators and in other sectors, one that may soon merit the same investment that data and IT infrastructure security has garnered for the past 20 years.
Research and analyst firm Gartner™ recently published its 2022 Hype Cycle™ for Security Operations. Cyber-physical systems security appears for the first time in this Hype Cycle report and is within its innovation trigger phase. The innovation trigger is the earliest of the Hype Cycle’s five phases and indicates a potential breakthrough for the technology where buzz is happening among users and vendors, and other events that generate significant media and industry interest. Gartner expects this technology to plateau within the next five to 10 years. Claroty is named among one of five Sample Vendors in this category.
The Hype Cycle, meanwhile, is the firm’s representation of a technology’s maturity and adoption. Its five cycles include: the innovation trigger, a peak of inflated expectations, the trough of disillusionment, the slope of enlightenment, and finally the plateau of productivity. The current Hype Cycle for Security Operations has only one technology at this final stage: vulnerability assessment. Mature, widely deployed technologies such as SIEMs, endpoint detection and response, and threat intelligence services are within the slope of enlightenment.
At Claroty, we believe what’s noteworthy about the emergence of cyber-physical systems security within the innovation trigger category is that CPS security has been decoupled from operational technology cybersecurity. OT security is emerging from the trough of disillusionment to the slope of enlightenment.
“With the expansion of connected systems, OT security in isolation has become less of a focus for organizations,” Gartner stated in its Hype Cycle for Security Operations report. “These organizations are beginning to recognize that connectivity between physical and digital systems is ever-more common, and these systems should not be necessarily seen as separate security challenges.”
Gartner defines cyber-physical systems as those engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world. Our observation is that, within OT environments, asset discovery of cyber-physical systems is becoming increasingly prioritized in order to focus on the core tenets of OT security, safety, availability, and resilience.
“Since CPS connects both cyber and physical worlds, security efforts are particularly critical in production and operational-centric industries,” Gartner said in its report. “As risks extend to the physical world, concerns over physical perimeter breaches, jamming, hacking, spoofing, tampering, command intrusion or malware implanted in physical assets also need to be addressed above and beyond cybersecurity.”
IoT Analytics, a market research firm focusing on the internet of things, projects there are 14.4 billion connected devices in the world, a number that will almost double by 2025. The relentless race from business and government leaders to promote smart initiatives impacting everything from utilities to agriculture to public safety will generate incomprehensible volumes of data and processes that must be protected. That requires a mindset beyond simply what IT security provides.
Organizations are urged to strategize today to protect cyber-physical systems, collaborate with their IT and IoT colleagues, and standardize security across domains.
Gartner makes several recommendations:
Educate business executives of the importance of CPS security to digital business initiatives.
Discover all connected assets, whether born out of information technology/operational technology (IT/OT) convergence or new Internet of Things (IoT)/industrial Internet of Things (IIoT)/smart “x” programs.
Evaluate which CPS assets are high-value or mission-critical, identify specific CPS security controls already in place, and determine whether any gaps need to be prioritized based on potential organizational impact.
Create an investment plan to update security and risk management strategies and programs in relation to CPS, starting with those high-value and mission-critical assets. • Engage functional business leaders to establish clear risk ownership and define domain-specific controls for CPS to balance between growing the business and improving security.
“Unlike IT systems that mainly transact data, CPS connect both the cyber and the physical worlds. These assets are usually deployed in operational or mission-critical environments. which means that CPS security efforts need to focus on human safety and operational resilience above and beyond traditional information-centric security efforts,” Gartner stated. “This is because the impact of an incident could be felt both in the real world and on an organization’s bottom line, mission or the public at large.”
*Gartner, "Hype Cycle for Security Operations, 2022", Andrew Davies, July 5, 2022.
GARTNER and HYPE CYCLE are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.