CPS risk management - what's it about?

As Operational Technology (OT) and traditional IT converge, there is more talk on Cyber-physical systems (CPS), which Gartner defines as systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world.

The growing connections between IT and OT networks, the explosion of IIoT devices, and the sharing of real-time, mission-critical industrial and business data are producing a rapidly growing attack surface.

Faced with real threats, OT operators are also under increased regulatory pressure, mostly focusing on improved risk management and continuous assessments.

Cyber-Physical Systems and OT environments however are different and present several challenges:

• Many CPS systems were not designed and deployed with security in mind

• Unlike their IT counterparts, legacy systems and devices operate for years and even decades and are difficult or impractical to update

• CPS are routinely deployed by business units without consultation with IT or security teams

• There is a dire skill shortage for risk assessments and mitigation efforts in operations or mission-critical environments

• Purchasing decision makers may not be aware of cyber-physical risks or may prioritize cost and speed over risk

Hence the rise of CPS security-posture risk assessment software platforms - recently reviewed by Gartner in its Hype Cycle for Cyber Risk Management, 2023.

The features and benefits

Risk assessment and management platforms specifically designed for industrial organizations are typically ROI-based - echoing the Pareto rule which posits that 20% of the cybersecurity investment into tools brings 80% of the value.

Using thousands of data points for network, asset, locale, industry, adversary capabilities and attack tactics, such systems calculate the per-zone likelihood of attacks and the effectiveness of corresponding risk-mitigation measures (installed and proposed). In order to that, building a real-time asset inventory of connected IoT and other industrial devices is crucial.

Risk management platforms determine the key indicators for risk, threat, and control levels, and deliver a comprehensive hardening plan (compliant with ISA/IEC 62443, NIST CSF, and other emerging industry best practices), prioritized by each control’s contribution to achieving risk management goals. Based on this information, such tools help OT operators optimize their OT security expenditure and make the process of continuous risk assessments more effective.

Typically, risk management platforms integrate with network/threat detection systems and SIEMs to acquire the necessary information for risk calculations.