Attacks on cyber-physical systems to increase due to lack of security spending

• Financial impact of CPS attacks, resulting in fatal casualties, will reach over $50b by 2023.
• A focus on operational resilience management, beyond information-centric cybersecurity, is sorely needed.

Bengaluru: Financial impact of cyber-physical system attacks, resulting in fatalities to people, property and environment, is expected to grow due to a lack of security focus and spending.

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023.

The research agency defines CPSs as systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).

They underpin all connected IT, operational technology (OT) and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure and clinical healthcare environments.

Katell Thielemann, Research Vice-President at Gartner, said that liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75 per cent of CEOs by 2024.

She said that regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.

Some of the governments have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.

Ben Carr, CISO at Qualys, said that it’s not surprising to see an increased focus on executive responsibility to cyber incidents as both corporate boards and investors know the importance of cybersecurity on the company’s bottom line.

Moreover, he said the ever-growing intersection of cyber with normal day-to-day activities is only strengthening the connection to corporate responsibility in this area.

“While privacy is certainly an area of concern, the likelihood of physical damage or worse, personal injury, is increasing as well. As consumer devices from gate openers and HVAC systems, to cars, become further connected, CEOs should rightfully be worried that damage or injury will be areas of liability concern if they aren’t devoting the right resources and due diligence to the problem,” he said.

CEOs need to understand the risks

Soon, Thielemann said that CEOs won’t be able to plead ignorance or retreat behind insurance policies.

“Even without taking the actual value of a human life into the equation, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them. The more connected CPSs are, the higher the likelihood of an incident occurring,” she said.

With OT, she said that smart buildings, smart cities, connected cars and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organisation, either due to legacy systems connected to enterprise networks by teams outside of IT, or because of new business-driven automation and modernisation efforts.

Carr said that CEOs need to have a direct relationship with their CISO or CSO and genuinely understand the impact of the risk decisions these security leaders are advocating.

“Corporate boards need to ensure they have a board member who understands the issues and works with the CEO and CISO for effective oversight and governance. This is especially true when physical or personal harm is a potential risk,” he said.

While organisations are struggling to determine how they respond to garden variety ransomware incidents, few, if any, he said are considering the impact of a ransomware event that affects a system where injury or loss of life is the result of not paying the ransom. CEOs and Boards need to take this seriously and assess the personal liability of not addressing these risks and bring their CISO into the discussions.

“A focus on ORM (operational resilience management), beyond information-centric cybersecurity, is sorely needed,” Thielemann said.