As IT systems, IoT & operational technology converge, attacks on cyber-physical systems in industrial, health care & other sectors will come with severe consequences, Gartner, a research company has predicted.
75% of top management at companies will be personally liable for cyber-physical security (CSP) incidents by 2024, & especially those that involve fatalities.
This was the observation of Gartner, which predicts that CEOs shortly will not be able to shield behind their corporate legal depts. if events go badly wrong.
Gartner defines CPSs as “systems that are engineered to orchestrate sensing, computation, control, net-working & analytics to interact with the physical world, including humans.
”The security implications for such systems have been heightened as IT systems, IoT & the operational technology (OT) that controls physical systems continue to converge.
Physical systems that were before separated or siloed, can now be accessed through a compromised IT network or IoT endpoint. Simultaneously, many companies are unaware that they have OT systems connected to enterprise networks, or they may not be following correct network segmentation or other precautions
These convergences are mainly found in critical infrastructure & clinical healthcare environments at this time, but will become more widely found with the expansion of 5G, & as innovations in smart buildings, smart cities, connected cars & autonomous vehicles, & telehealth/remote surgery continue to be commissioned, the firm commented.
In these environments, “incidents can quickly lead to physical harm to people, destruction of property or environmental disasters,” according to the firm. “Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus & spending currently aligning to these assets.”
Gartner also predicted that the financial impact of CPS attacks resulting in fatal casualties will reach more than $50b by 2023. This includes the costs for organisations in terms of compensation for loss-of-life, litigation, insurance, regulatory fines & reputation loss.
“Regulators & governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules & regulations governing them,” observed Katell Thielemann, Research VP at Gartner, in a media statement.
Cybersecurity & Infrastructure Security Agency
“In the US, the FBI, NSA & Cybersecurity & Infrastructure Security Agency (CISA) have already increased the frequency & details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
In July, ICS-CERT issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation & Tricon Communication Module.
These safety instrumented system (SIS) controllers shut down plant operations during a difficulty, & act as an automated safety defence for industrial facilities, designed to prevent equipment failure & catastrophic incidents e.g. explosions or fire.
They have been targeted in the past, in the 2017 TRITON attack.
A review on cyber-security in CSP is crucial going forward, the firm noted. The prohibitive price in money & reputation of cyber-physical casualties to organisations will lead to a focus on greater OT & CPSs.
Senior Executives & Board Members will need better visibility & control of the security of the organisation’s CPS, & Gartner explained that he thinks the relatively new market of OT-specific security capabilities will soar from $250m in 2018 to $1.115b in 2021, a CAGR of 45.7%.
“A focus on ORM, or Operational Resilience Management – beyond information-centric cyber-security is sorely needed,” Thielemann commented.
For best practice, Gartner recommended that organisations 1st identify all of an organisation’s connected assets This is regardless of whether these are considered IT equipment, OT equipment, building management systems, smart appliances or any other type of wireless connected device.
Then, they should adjust risk-assessment methods currently in use to discover the likelihood & impact of events affecting human & environmental safety.
After, they can develop a classification method that accounts for physical aspects of data & systems rather than just a data-classification scheme.
The next stage is then to use an awareness campaign to make sure that all stakeholders both inside & outside the organisation are fully aware of the cyber-physical risks that come from an organisation’s connected systems.
“Keep an eye out for any regulation that might come into force as a result of the 1st cyber-physical casualty,” Thielemann concluded.