CPS Security FAQ

To build a mature CPS security program, organizations should adopt a holistic approach that coordinates people and uses processes to effectively leverage available technology. This involves establishing clear ownership through RACI models, implementing repeatable workflows and standard operating procedures, and deploying specialized tools for asset visibility, exposure management, network segmentation, secure access, and threat detection.

AI is revolutionizing how cyber-physical systems (CPS) are secured, from speeding accurate asset identification to a future where agents automatically update machines and deploy mitigations. Claroty Claire™ is the industry's first CPS-native AI security agent engineered to proactively defend mission-critical infrastructure with machine-speed accuracy. Claire is built on unmatched CPS understanding and data to safely bridge the gap between security controls and strict uptime constraints by automating asset visibility, delivering tailored risk insights, and orchestrating remediation at scale.

For most customers, SaaS-based security is the best option. Cloud-based solutions provide automatic updates with the latest capabilities, vulnerability data, and threat intelligence. It also improves cyber resilience by encrypting data by default and reducing the number of on-premises hardware entry points for potential attackers. On-premises CPS security tools are the best choice for organizations beholden to certain regulatory requirements or in low-connectivity environments.

Digital transformation has substantially changed how OT environments function, adding connectivity within and into systems and legacy devices that were never intended to be connected. This shift is a foundational reason for the cyber-physical systems (CPS) classification, driving the need for dedicated security solutions that understand and can secure fragile legacy devices.

CPS protection involves securing the integrated systems and devices responsible for sensing, computation, and control of physical processes. It requires a holistic approach that combines specialized technology, repeatable processes, and clear organizational ownership to ensure the safety and reliability of mission-critical operations. The specialized technology should include asset discovery and management, exposure management, network protection, secure access, and threat detection.

Cyber-physical systems (CPS) are engineered systems that integrate sensing, computation, control, networking, and analytics to interact with the physical world and its users. These systems underpin critical infrastructure by connecting the cyber and physical domains to enable safe, real-time, and resilient performance across sectors like manufacturing, healthcare, and energy.

CPS need specialized security due to the unique and legacy devices in OT, IoT, IoMT, and BMS. These devices communicate using proprietary protocols, and standard IT methods of talking to the devices can break them. A dedicated CPS security platform considers the unique operational requirements and device limitations in these environments to provide protection without adding risk.

Process values are real-time readings from industrial devices, such as temperature, pressure, and flow rate, that underpin critical processes at levels 0 and 1 of the Purdue Model. Claroty's Process Values tool enables security and engineering teams to track these readings and associated behaviors, making it easier to identify a change indicative of malicious activity.

Secure by design is a cybersecurity approach that mandates integrating security measures into a system's architecture from the very beginning of its development lifecycle. Rather than adding security as an afterthought, this philosophy prioritizes proactive risk mitigation through principles like least privilege, defense in depth, and secure default settings.

Securing connected OT is essential because increased connectivity has expanded the attack surface, leaving critical infrastructure vulnerable to ransomware and sophisticated nation-state attacks. Implementing dedicated security measures ensures the safe, reliable operation of industrial processes and protects against disruptions that could impact national security and economic stability.

The integration of IT and OT occurs through the convergence of physical hardware, software systems, and organizational workflows to enable seamless data flow between digital and industrial environments. This process involves connecting OT devices to IT networks, harmonizing data for real-time analysis, and unifying siloed teams into a collaborative, risk-driven operating model.

Key OT security concepts include multiple asset discovery techniques to provide automated visibility, ongoing exposure management, continuous threat detection, manageable network segmentation, and centralized secure remote access to protect physical processes and critical infrastructure. Legacy and proprietary devices require specialized security solutions that understand the protocols they use to communicate, their fragility, and specific risks unique to OT.

Network segmentation is important in OT environments because it divides the network into smaller sections or zones, effectively reducing the attack surface and preventing lateral movement. Segmentation is more important now than ever to protect critical systems as exponentially more vulnerabilities will be discovered and disclosed.

NERC CIP is a mandatory set of cybersecurity and physical security regulations designed to safeguard North America’s Bulk Electric System (BES) from cyberattacks, sabotage, and operational disruptions. Compliance is required for any utilities that own, operate, or use parts of the power grid across the U.S., Canada, and parts of Mexico.

The Federal Energy Regulatory Commission (FERC) is an independent federal agency that regulates the interstate transmission of electricity, natural gas, and oil within the United States. It also oversees the licensing of hydropower projects and enforces mandatory reliability standards for the nation's bulk power system to ensure secure and efficient energy services.

ISA/IEC 62443 is a series of international standards providing a flexible, risk-based framework for securing industrial automation and control systems (IACS) and operational technology (OT) networks. It covers technical and procedural requirements throughout the system lifecycle, utilizing concepts like zones, conduits, and security levels to protect against evolving cyber threats. The framework is globally recognized and is the cornerstone standard referenced by governments to assess whether an organization implemented "reasonable" security measures.

The National Cyber Strategy outlines a path to secure the United States through six pillars, including shaping adversary behavior, promoting common-sense regulation, and modernizing federal networks. It focuses on deploying both defensive and offensive cyber capabilities, hardening critical infrastructure, and leveraging emerging technologies like AI and post-quantum cryptography to ensure technological dominance.

The NIS2 Directive is an updated European Union framework designed to enhance cybersecurity and resilience across critical sectors by setting a high common level of security for network and information systems. It expands the scope of the original 2016 NIS Directive to include more industries, mandating stricter risk management measures, incident reporting requirements, and corporate accountability for essential and important entities.

The NIST Cybersecurity Framework (CSF) is a voluntary set of guidelines and best practices created by the U.S. National Institute of Standards and Technology (NIST). It's widely adopted as the go-to framework for aligning security programs with proven outcomes. The NIST CSF can be applied for CPS security as a guide for establishing a strong program, which can be supported by a dedicated CPS security platform.

Operational resilience is an organization's ability to maintain critical business services and protect its workforce by anticipating, absorbing, and recovering from disruptions. It goes beyond traditional disaster recovery by taking a proactive, holistic approach to managing risks across people, processes, and technology.

Cyber resilience is important because cyber-physical systems are increasingly integrated into critical infrastructure, and their failure can lead to severe consequences including physical damage, equipment destruction, and threats to human life. A resilient approach ensures that organizations can withstand and quickly recover from these inevitable breaches, maintaining operational continuity and protecting public safety.

To defend against ransomware in industrial environments, organizations must build cyber resilience by implementing a holistic approach that includes regular data backups, employee training, and advanced threat detection. Additionally, it is critical to develop a rehearsed incident response plan and secure all endpoints to ensure operations can be restored quickly with minimal disruption.

Managing CPS risk involves adopting a holistic, impact-centric approach that combines people, processes, and technology to identify, assess, and prioritize exposures across the environment. This is achieved through a repeatable cycle of asset discovery, vulnerability assessment, and remediation efforts prioritized by the potential impact on critical business outcomes and operational continuity.

To prioritize CPS risk, organizations should move from an asset-centric approach to an impact-centric one that evaluates vulnerabilities based on their potential to disrupt mission-critical business processes. This involves utilizing a granular risk-scoring framework that accounts for business context, device purpose, and toxic combinations of exposures to address the risks most likely to cause operational or financial harm.

Vulnerability management is improved by adopting a risk-based approach that prioritizes the remediation of flaws based on their actual exploitation likelihood and potential business impact rather than relying solely on severity scores. This process is further enhanced by utilizing deep asset visibility, automated correlation with CISA’s KEV catalog, the availability of patch details and actions required for patching, and implementing compensating controls when patching is not feasible.

The most effective way to prioritize vulnerabilities today is by enriching technical severity scores with business context, such as asset criticality, network exposure, and the presence of sensitive data. With more vulnerabilities being disclosed today than ever before, prioritization with actionable mitigation recommendations is critical for CPS vulnerabilities.

Remote Privileged Access Management (RPAM) is a cybersecurity approach that provides secure, granular, and time-limited access to critical systems for remote employees and third-party vendors without requiring a VPN. It combines identity verification, session brokering, and credential injection to enforce zero-trust principles and ensure users only access the specific resources necessary for their tasks.

OT remote access allows internal and third-party engineers to connect to assets and systems in industrial environments no matter where they're located. Engineers remotely access devices to monitor, control, maintain, and troubleshoot equipment without being on-site. Security for this access involves implementing purpose-built solutions that employ zero-trust principles, granular access controls, and comprehensive auditing to protect critical infrastructure from unauthorized entry and cyber threats.

Secure access benefits industrial organizations by increasing operational efficiency and reducing downtime through real-time troubleshooting and remote system adjustments. It also provides significant cost savings by minimizing travel for technicians and enhances flexibility by allowing personnel to securely monitor and maintain critical assets from any location.

Traditional VPNs are considered unsafe for OT environments because they provide broad network-level access that lacks granular control and real-time visibility into user activity. This allows accidental or intentional access to unauthorized devices and unmonitored lateral movement across critical systems, potentially disrupting production processes or impacting safety systems.

Zero Trust architectures require continuous authentication and authorization for every user, device, and connection request, treating all entities as untrusted regardless of their location. It utilizes strategies like microsegmentation to isolate medical devices and systems, and enforces least-privilege access to ensure personnel only reach the specific resources necessary for patient care.

Zero Trust principles apply to secure access by assuming that no user or device is inherently trustworthy, requiring continuous verification for every access attempt regardless of location. It replaces broad perimeter-based connectivity with granular, least-privilege access that connects authenticated identities only to specific authorized applications or assets.

Remote access is a primary attack vector for cyber-physical systems because attackers exploit weak legacy mechanisms like VPNs and jump servers to gain entry. These vulnerabilities often lead to "shadow access," where unmanaged connections bypass security governance and allow for lateral movement that can result in physical damage or operational failure.

Shifting economic policies have caused shifts in the global supply chain, creating uncertainty for critical infrastructure organizations. These shifts impact cause organizations to reconsider the geography of their supply chain to add predictability and minimize cybersecurity risk associated with the hardware and software required to operate their CPS.

Cyber-physical systems are central to all parts of critical global supply chains, making their security paramount. Knowing what CPS are part of an organization's supply chain and ensuring those systems have reasonable protections in place is essential to mitigating the risk of downtime and operational disruptions. Similarly, any third parties within an organization's supply chain that require entry to critical systems should only be allowed access through a centralized secure remote access tool that logs all user actions and follows least privilege principles.

Alert management is the process of identifying, prioritizing, and responding to security alerts to maintain operational continuity and minimize the impact of incidents. It involves using automated tools tominimize false positives and negatives, provide contextual insights like root-cause analysis, and streamline workflows through established playbooks and integrations.

CPS threat detection is the process of monitoring network traffic and asset behavior within cyber-physical environments to identify cyber threats, unauthorized changes, or operational anomalies. It uses specialized tools to analyze industrial protocols and provide the visibility needed to protect the integrated digital and physical components of critical infrastructure.

Proactive threat detection is a continuous, 24/7 monitoring process that identifies potential cyber threats and vulnerabilities in OT and IT environments before they materialize. This approach utilizes network behavior analysis and anomaly detection to identify unusual patterns, allowing security teams to intervene before incidents impact the operational integrity.

Anomaly detection identifies previously unknown threats, such as zero-day attacks, by pinpointing deviations in typical communication patterns between network assets or zones. It leverages deep packet inspection to establish a behavioral baseline for every asset, allowing the system to immediately alert users to unusual activity or violated physics within the environment.

Monitoring is essential because it enables the continuous identification of suspicious activities, anomalies, and indicators of compromise before they disrupt critical services or endanger public safety. In times of conflict, this real-time visibility is crucial for minimizing operational downtime, reducing financial losses, and allowing security teams to respond to incidents faster.

MITRE ATT&CK for ICS is a specialized framework and knowledge base that categorizes the unique tactics and techniques used by adversaries to target industrial environments and critical infrastructure. It provides a standardized lexicon to help security teams understand, detect, and develop targeted defense strategies for protecting operational technology and industrial control systems.

Cyber-physical systems (CPS) should avoid direct internet exposure because many legacy devices lack fundamental security features like encryption and authentication, making them easy targets for attackers. Connecting these mission-critical assets to the internet significantly expands the attack surface, allowing adversaries to exploit vulnerabilities that could lead to physical process disruptions or life-safety risks.

NotPetya is a highly destructive wiper malware that first emerged in June 2017, initially disguised as ransomware to sabotage targeted systems rather than extort money. It primarily spread by exploiting the EternalBlue vulnerability and compromised software updates, causing over $10 billion in global damages by permanently destroying data and disrupting critical infrastructure.

IOControl is a sophisticated, Linux-based cyberweapon and backdoor designed to target IoT and OT devices. Claroty's Team82 discovered the malware being used to target IP cameras, routers, PLCs, HMIs, firewalls, and more as part of a targeted campaign by a threat actor group linked to Iran known as the CyberAv3ngers.

Project Glasswing and the Mythos LLM eliminate the traditional security time buffer by allowing AI-driven adversaries to discover and exploit CPS vulnerabilities almost instantaneously. Defenders need deep asset intelligence prioritized by real-world operational risk to effectively protect systems in this reality. A Zero Trust approach with network segmentation and secure access controls are essential to mitigating the risk of exploitation.

A pro-Iran hacktivist group named Handala claimed responsibility for a highly disruptive cyberattack against the global medical technology manufacturer Stryker in retaliation for ongoing geopolitical conflicts. The attackers reportedly compromised the endpoint management tool Microsoft Intune to issue a massive wipe command, disabling tens of thousands of internal servers and devices without the use of malware or ransomware. This widespread IT outage brought Stryker's global production lines to a halt, raising concerns about significant equipment shortages and delays across the broader healthcare supply chain.

Colonial Pipeline supplies nearly half of the fuel to the US East Coast. On May 7, 2021, a ransomware attack by the cybercriminal group DarkSide compromised the IT network of Colonial Pipeline. They proactively shut down a 5,500-mile system of pipeline to proactively prevent the ransomware from impacting their CPS.

Ransomware impacts critical infrastructure by encrypting essential data and stealing sensitive information, often resulting in operational shutdowns and significant financial losses. These attacks can cause cascading physical consequences across global critical infrastructure, jeopardizing public safety, economic stability, and national security.

OT:ICEFALL is a collection of 56 vulnerabilities discovered by Forescout researchers that affect operational technology devices from numerous vendors due to insecure-by-design engineering practices. These vulnerabilities are categorized into insecure engineering protocols, weak cryptography or broken authentication, insecure firmware updates, and remote code execution via native functionality.

The primary risks to industrial control systems (ICS) include the convergence of IT and OT networks, which creates new pathways for attackers to move from corporate systems into critical physical processes. These environments are also highly vulnerable due to the prevalence of legacy systems that lack modern security features like encryption, as well as the increasing connectivity that expands the overall attack surface.

MOVEit has disclosed a series of high-risk vulnerabilities in 2023 and 2026. CVE-2023-34362 was used by ransomware group CL0p in 2023 to install malicious web shells via MOVEit in victim networks. Since then, CVE-2026-4670, a critical authentication-bypass, and CVE-2026-5174, a high-severity privilege escalation, allow unauthenticated attackers to gain administrative control and expose corporate data. If MOVEit is used in CPS for file transfer, it is highly recommended that an alternate method be employeed, such as a secure remote access tool with secured file transfer capabilities.

The OpenSSH vulnerability, known as regreSSHion (CVE-2024-6387), is a signal handler race condition in the OpenSSH server (sshd) that allows unauthenticated remote code execution as root on glibc-based Linux systems. This critical flaw is a regression of a previously patched 2006 vulnerability and affects portable OpenSSH versions from 8.5p1 up to, but not including, 9.8p1.

Ripple20 is a collection of 19 zero-day vulnerabilities discovered by security researchers at JSOF within a low-level TCP/IP software library developed by Treck, Inc. These vulnerabilities affect hundreds of millions of connected devices across various industries, potentially allowing attackers to execute remote code, steal data, or cause device malfunctions.

ICS vulnerability reports reveal that industrial environments face significant risks due to the rapid integration of IT and OT systems, which has expanded the attack surface for adversaries. These reports highlight that exploitation of vulnerabilities has surged by 34%, often stemming from unpatched third-party software and firmware in critical infrastructure sectors.

Healthcare cybersecurity is the practice of applying prevention, detection, and response strategies to protect the entire connected care ecosystem from digital threats. This approach ensures patient safety, business continuity, and the protection of confidential data while maintaining compliance with industry regulations, like HIPAA.

Securing healthcare OT requires a holistic approach that combines passive monitoring with flexible, host-based data collection like Claroty Edge to gain complete visibility into both managed and unmanaged devices. This foundation of visibility enables organizations to deeply profile assets, manage exposures, and implement network protection measures to ensure operational integrity and patient safety.

Large healthcare systems manage risk by adopting a holistic, programmatic approach that coordinates people, processes, and technology to secure theirconnected care infrastructure This involves establishing automated assets visibility, implementing repeatable workflows, determining ownership and governance, and deploying specialized platforms like Claroty xDome to implement risk-reduction strategies.

Rural hospitals manage risk by leveraging complimentary federal resources and partnerships with technology leaders to identify vulnerabilities and improve incident response plans. They also prioritize core security practices such as implementing multi-factor authentication, conducting regular staff training, and utilizing network segmentation to protect critical patient care systems.

Claroty secures connected healthcare environments through a purpose-built platform that provides deep visibility into all connected devices, including medical, OT, IoT, and building management systems. The platform employs a multi-method discovery approach and modular controls for exposure management, network protection, secure access, and threat detection to ensure patient safety and operational uptime.

Securing medical devices is critical because vulnerabilities in life-sustaining equipment like infusion pumps and telemetry monitors can lead directly to treatment delays and catastrophic patient harm. Since many digital clinical systems lack manual backups, ensuring their security is essential to maintaining the continuity of care and overall patient safety.

The biggest cybersecurity risks for medical devices include known exploited vulnerabilities (KEVs) linked to ransomware and insecure internet connections. These risks are particularly prevalent in imaging systems and hospital information systems, where they can lead to unauthorized data access, treatment manipulation, and significant disruptions to patient care.

To secure smart buildings, organizations should implement a holistic approach that includes automated asset discovery, risk assessment, and continuous threat detection across all building management systems and IoT devices. Additionally, deploying zero-trust controls such as secure remote access and network segmentation helps protect vulnerable legacy systems from unauthorized access without disrupting critical operations.

The Purdue Model was designed as a reference model for data flows in computer-integrated manufacturing (CIM), including industrial control systems (ICS) and OT. It is a critical concept in securing industrial CPS environments, and should be respected by CPS protection tools, especially those that enable secure remote access. The Purdue Model is also essential for proper network segmentation and exposure management strategies.

Industrial cybersecurity involves protecting the operational technology (OT) systems, networks, and data that control physical processes in environments like manufacturing plants and power grids. It addresses unique challenges by securing complex industrial systems where cyber threats can result in devastating physical consequences, safety risks, and operational disruptions.

Mergers and acquisitions expand an organization's attack surface and introduce risks such as legacy system vulnerabilities, unvetted identities, and inconsistent security controls. The integration period is particularly hazardous as attackers exploit distracted IT teams and the convergence of networks.

To secure manufacturing, organizations should adopt a holistic approach that coordinates people, processes, and technology while establishing clear ownership through RACI models. This includes implementing repeatable workflows, standard operating procedures, and deploying specialized tools for asset visibility and network segmentation.

Partnerships improve CPS security by combining specialized cybersecurity technology with deep CPS protection expertise and technology to provide comprehensive visibility and risk management across converged environments. These collaborations enable organizations to unify IT and CPS security operations, facilitating faster incident response and more robust protection for critical infrastructure.

Effective security for semiconductor manufacturers involves a holistic Cyber-Physical Systems (CPS) protection program. This involves automating asset visibility, implementing risk reduction and threat response processes and ownership, and implementing specialized standards like SEMI E187 and E188, which focus on securing equipment through malware scanning, network segmentation, and robust access controls.

To secure smart factories, organizations should establish a comprehensive asset inventory and implement network segmentation to isolate critical systems and prevent the spread of cyberattacks. Additionally, it is essential to manage exposure through risk prioritization and integrate IT security tools with OT workflows to achieve unified security governance across the entire environment.

SCADA cybersecurity is the practice of protecting supervisory control and data acquisition systems that monitor and control critical industrial processes from unauthorized access and cyber-physical attacks. It involves implementing a set of technical controls, such as network segmentation and robust access management, to ensure operational safety, availability, and reliability.

Asset visibility in cyber-physical systems (CPS) environments is the comprehensive awareness and real-time monitoring of all devices, systems, and components within a network. It provides a foundational understanding of asset identities, configurations, and interactions, which is essential for effective risk management, threat detection, and incident response.

A combination of active and passive discovery methods is the best practice for identifying and continuously monitoring OT assets. Non-passive (or active) methods involve querying the device in its native protocol in ways that do not disrupt or overwhelm the device. These methods quickly provide asset visibility and enough details about a device to begin risk reduction and exposure management activities. Passive discovery is required for network communication monitoring, which underlies segmentation and threat detection. This combined approach allows teams to get visibility faster and improve their overall security outcomes while reducing total cost of ownership and time to value.

To manage OT assets, organizations must first gain comprehensive visibility by identifying all digital and physical devices using a combination of active and passive discovery methods. Following discovery, these assets should be continuously monitored and secured through a structured lifecycle management process that includes vulnerability assessments, maintenance scheduling, and the establishment of clear governance roles.

Visibility gaps are primarily caused by inconsistent security agent deployment, poor asset inventory management, and the proliferation of unmanaged devices and cloud workloads. They also stem from fragmented data pipelines between security tools and the inability of traditional monitoring solutions to provide telemetry for legacy OT and IoT assets.

OT asset discovery involves using multiple, highly flexible collection methods to identify all hardware, software, and XIoT assets within an environment. These methods include passive monitoring, active queries, project file analysis, and third-party integrations to safely extract granular device details and communication paths without disrupting operations.

OT asset discovery provides the foundational visibility required to identify all connected systems, understand their interactions, and pinpoint potential security risks. By replacing uncertainty with a factual understanding of the environment, it enables effective risk management, incident response, and compliance adherence.

OT asset discovery works by combining passive monitoring and non-disruptive active queries to identify device details and map communication paths within the network. It also employs specialized databases to parse backup configuration files, enabling the inventory of assets that may be disconnected or air-gapped.

Due to inconsistent naming conventions across different communication protocols, cyber-physical systems (CPS) suffer from a digital identity crisis where 88% of assets fail to transmit exact product codes. This widespread lack of standardization prevents security teams from accurately mapping vulnerabilities, leaving critical infrastructure and healthcare environments blind to real cyber risks. To solve this problem, Claroty launched the CPS Library, an AI-driven centralized repository of asset identifiers that increases vulnerability matching accuracy by 25% and provides explicit firmware remediation recommendations.