In a featured session at the Microsoft Ignite conference, Gartner® VP Katell Thielemann spoke about cyber-physical systems (CPS) and how to talk to business stakeholders about the new types of risks they pose to safety and production.1
The topic is particularly relevant now in the light of recent ransomware attacks on a gas pipeline operator and food processor, which have raised management- and board-level awareness about IoT and Operational Technology (OT) risk.
In addition to the substantial ransomware payouts ($4M and 11M, respectively), the attacks resulted in tens or hundreds of millions in lost revenue from unplanned downtime. The pipeline operator has also been hit with two class action lawsuits alleging negligence in securing their operational infrastructure.
Security and risk management (SRM) leaders are now responsible for new types of threats and risks – such as safety and production risks – from parts of the organization they never worried about in the past, when they were mainly focused on the security of information and digital assets (like databases and containers) rather than physical processes and assets (like turbines, mixing tanks, and industrial robots).
Katell is ideally suited to analyzing trends in this domain because her background includes extended stints at both General Electric and Honeywell. At the end of the blog post, we include a link to Katell’s full report, as well as a recorded interview she recently conducted with Jeffrey Wheatman, VP Advisor and Chair of the Gartner Security & Risk Management Summit.
Gartner defines cyber-physical systems as “engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). They enable safe, real-time, secure, reliable, resilient and adaptable performance.2
CPS process more than information; they manage and optimize physical outcomes, from individual processes to entire ecosystems. Some examples include robotic arms, gas and oil processing technology, water purification systems, meat cutting, grain processing, baggage handling, and building management systems. Our entire civilization relies on these assets.
Gartner uses the term CPS not to replace OT and IoT, but instead to encompass the entire cyber-physical spectrum.
As the number of interconnected CPS increase to support digital business transformation, the attack surface and risk are also increasing.
In fact, in a recent Gartner survey, security and risk leaders ranked the Internet of Things (IoT) and cyber-physical systems as their top concerns for the next three to five years.
CPS are where the business value of an organization is created. If you’re a manufacturer, for example, value isn’t created in your payroll system, it’s created in your plants. When your plants get shut down, it directly impacts your revenue and profits. And that gets the board’s attention.
Other impacts that get the board’s attention include loss of life and environmental incidents; theft of sensitive corporate IP like proprietary formulas and manufacturing processes; and corporate liability.
First, let’s talk about motives: CPS largely hold your secret sauce. So, they’re going to be targeted by everyone: nation-states with geo-political, espionage and IP exfiltration motives, terrorists who may want to destabilize critical infrastructure, cybercriminal gangs who want to compel you to pay ransoms, disgruntled employees motivated by revenge or fraud, hacktivists with a political cause or societal gripe.
In addition to the recent ransomware attacks on the gas pipeline and food processor, we’ve seen the TRITON attack on the safety systems of a petrochemical company; destruction of a blast furnace in a steel plant; and the NotPetya attack which affected a global shipping and logistics firm, snack company, manufacturer of construction materials, and pharmaceutical firm (where it halted production of a critical vaccine and led to $1.3B in losses).
We’ve also seen IoT attacks on what Gartner calls “carpeted areas,” such as the nation-state attack on VoIP phones and printers discovered by Microsoft, in which attackers leveraged vulnerable IoT devices as entry points to the corporate network.
CISOs have traditionally been focused only on protecting the confidentiality of data in the corporate IT network.
To support business resilience and growth goals simultaneously in today’s fast-evolving environments, SRM leaders need to expand their risk lenses. They need to develop a compelling unified vision and strategy across the cyber and physical places under a cyber-physical system security (CPS-Sec) umbrella.
To get past “data breach fatigue” that boards may be experiencing, highlight the real-world impacts of recent attacks, such as gas stations running out of fuel up and down the US east coast.
Gartner recommends the following approach when developing a CPS vision statement3:
“Start by documenting your organization’s business strategy, and enumerating the technology drivers and environmental trends that are unique to your enterprise. This will lay the foundation for articulating a clear vision statement, and will act as an anchoring document for the other steps.
The vision statement needs to be presented using voice-of-the-business language to resonate. Too often, SRM leaders are pigeon-holed into an alarmist, an obstructionist or a last-line-of-defense position. Communicating risks in the context of business or mission outcomes helps shift these perceptions.
Good vision statements share several characteristics:
Characteristics of CPS security that should be woven in as appropriate:
Examples of CPS-oriented SRM vision statements in business and mission contexts include:
Too many organizations still think that “security by obscurity” is OK, or they can simply deploy a few firewalls and network segmentation.
While segmentation is an important control because it makes it more difficult for attackers to move laterally, we also recommend the following technologies at a minimum:
What is needed moving forward are CPS Protection Platforms, that bring an asset-centric view of security and tackle issues such as:
Graphics in this blog post were published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The full Gartner document is available upon request from here.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
1 Microsoft Ignite Session featuring Katell Thielemann on Cyber-Physical Systems (November 3, 2021)
2,3,4 Gartner, How to Develop a Security Vision and Strategy for Cyber-Physical Systems, Katell Thielemann, Refreshed 1 September 2020, Published 4 April 2019.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.