Cyber-physical systems (CPSes) are becoming increasingly interconnected with many industrial control systems, operational technology devices, Internet of Things (IoT) and robotic and autonomous systems. Such interconnectivity enhances the enterprise attack surface, leading to an increase in targeted cyber attacks. These attacks not only affect the production and mission-critical systems of organizations in industries such as manufacturing, transportation, healthcare delivery and utilities, but also critical infrastructure supporting national economic prosperity. Several companies in the past have been victims of such attacks, including a US gas pipeline operator, Ukrainian power grid and Belarusian railroads.
To address CPS security, security and risk management leaders face a challenge updating their governance efforts. Cybersecurity governance has evolved beyond enterprise IT systems, and security and risk leaders have to follow a six-phase CPS security governance roadmap, learning from best practices from leading organizations.
Phase 1: Awareness
The first step is for Chief Information Security Officers (CISOs) to understand the existing security landscape for CPSes. When it comes to CPSes, safeguarding information is not enough. The nature of connecting cyber systems with physical processes means ensuring safety and operational uptime are core design principles. Most existing IT cybersecurity policies are inadequate, and budgets are often scattered. Therefore, one should spend time understanding the organization’s business model and what metrics drive business leaders in operational or production environments.
Phase 2: Outreach, Asset Discovery and Network Topology Mapping
This is where the process of discovery starts. CISOs may find that no one oversees CPS security. In such cases, it’s important to establish a cross-functional steering committee with participation from IT, cybersecurity and various business units such as engineering, process automation and supply chain management. The larger and geographically dispersed an organization, the more urgency to deploy specialized asset discovery and network topology tools.
Phase 3: The ‘Oh Wow!’ Moment
In this phase, the organization becomes aware of the breadth and depth of CPS security gaps. The organization may have more CPSes than anyone thought, which may be discoverable on the internet, or OEMs may be remoting in without established policies. Firewalls could be misconfigured, open ports everywhere and shift workers sharing passwords. Discovering these CPS security gaps sets the stage for remediation planning.
Phase 4: Firefighting
Remediation activities need to be prioritized, planned and funded. The steering committee should make trade-offs between cyber-risk and business performance when it comes to prioritizing cybersecurity activities. The organization should prioritize remediation activities based on the potential exposure and potential business disruption in case of an attack. Adopt feasibility as a key principle when it comes to updating equipment while reducing risk.
Phase 5: Integration
Once the initial critical cybersecurity remediation efforts are completed, the focus should turn to continuous monitoring and longer-term projects. CPS security monitoring data can be fed to centralized IT cybersecurity tools, such as a Security Information and Event Management (SIEM) tool. Cybersecurity incident response processes should be updated to include CPS incidents. Define policies that take into consideration the wide range of production cadence.
Phase 6: Optimization
This phase focuses on optimizing cybersecurity efforts for business resilience, operational differentiation and growth. CPSes protection platforms collect continuous asset telemetry, performance and usage data that can be used by engineers, maintainers, or asset operators. Sharing this information can open the door to business-led process improvement or cost control. One should also organize workshops to enable different teams to come together and discuss cybersecurity issues, and define future visions and plans.
In conclusion, IT and CPS security are two vastly different worlds, but modern times have necessitated a “look for similarities but acknowledge and respect differences” approach to the problem. Adopting a six-phased approach enables partnership across security and business to ensure the most comprehensive approach, using innovative practices to adapt cybersecurity controls to business operational realities.