Cyber risk management for cyber‍-‍physical systems

As all types of cyber-physical systems continue to proliferate across many industries, managing cyber risk will only become a more challenging responsibility.

All cybersecurity disciplines and personnel in all sectors share the same overarching goal: to reduce cyber risk. But for those in industrial and critical infrastructure sectors where cyber-physical systems (CPSs) underpin operations, that goal is spiralling out of reach.

Here’s one reason why: simply assessing and prioritising — much less reducing — cyber risk in CPS environments requires a departure from many of the conventional methods and solutions that have long enabled chief information security officers (CISOs) and their teams to manage cyber risk in information technology (IT) environments. And with an estimated 95% of CISOs in critical infrastructure sectors now responsible for securing not only IT but also CPSs, more and more are coming face-to-face with the harsh realities of this highly consequential situation.

Key types of industrial CPS include:

• Operational technology (OT) assets: such as PLCs, actuators and RTUs that are integral to manufacturing, power generation, transportation and other critical physical processes.
• Internet of Things (IoT) devices: such as the security cameras, motion sensors, and even vending machines found across myriad types of facilities and environments.

A quick refresher on risk

At its core, risk is a measure of the likelihood and potential impact of an undesirable occurrence. This simple definition is not specific to a CPS, cybersecurity, or anything else. It holds constant no matter the circumstances and can easily be demonstrated via the following equation:

Risk = Likelihood X Impact where: Likelihood = Threat X Vulnerability

• Likelihood: This variable refers to the probability of an undesirable occurrence. It is the product of (and dependent on) its two sub-variables: threat and vulnerability.
• Threat: This sub-variable is the source or trigger of an undesirable occurrence.
• Vulnerability: This sub-variable encompasses flaws or circumstances that a threat could exploit to lead to an undesirable occurrence.
• Impact: This variable reflects the consequences of an undesirable occurrence.

The role of risk controls and risk factors

The above equation is not intended to be interpreted in a mathematically literal sense, but it does highlight a mathematically accurate truth: if just one of the equation’s variables were to be eliminated (ie, assigned a value of zero), then the risk in question would also be eliminated.

Although it is nearly impossible to truly eliminate many — if not most — types of risk, the basic principles of risk management shed light on how to reduce it: apply risk controls.

Risk controls are measures intended to reduce risk by decreasing the magnitude of at least one variable of risk. They typically aim to offset risk factors, which have the opposite effect: they increase the magnitude of at least one variable of risk.

Let’s test these concepts by applying them to a very familiar type of risk: sunburn (see Table 1).

Table 1: Risk factors and controls example.

Weighing costs and benefits

The sunburn example illustrates why cost-benefit analyses (CBAs) are key to managing risk. It is usually neither feasible nor advisable to apply every possible risk control to every possible risk factor because the cost of doing so can outweigh the benefits. Indeed, destroying the sun would eliminate the risk of sunburn — but it would also eliminate life on Earth. As such, slightly less effective (and far less costly) alternative controls, such as sunscreen, are the ideal choice.

The sunburn example also highlights that some risk factors just cannot be feasibly eliminated or altered and, as such, must be accepted. Often referred to as risk acceptance, this sort of decision is notably common for factors affecting the threat sub-variable of our risk equation. Just like the sun, many threats will continue to exist in all but the most extreme circumstances — which is why prioritising controls that aim to reduce the vulnerability or impact variables of risk is usually the most effective and recommended approach from a CBA standpoint.

The CPS cyber risk landscape

How we got here

The current CPS cyber risk landscape is rooted in the fact that, historically, the cybersecurity priorities of industrial environments were limited to air-gapping OT assets. No connectivity meant no need for cyber risk controls.

Today, it is commonplace for industrial CPS environments to be intertwined with their IT counterparts and the Internet. This norm is the product of digital transformation — particularly, the explosion of IoT, and other CPS technologies that organisations are increasingly implementing both alongside, and in place of, legacy OT assets.

The benefits of this transformation are undeniable, but it also exposes CPS environments to cyberthreats. Unfortunately, the connectivity such threats exploit is growing faster than efforts to secure it, suggesting the CPS cyber risks with which practitioners must contend are worsening. Let’s take a closer look at the numbers behind these conditions.

Comparing IT and CPS cyber risk

Just as the above figures might suggest, the adoption of digital transformation initiatives that create or expand connectivity between IT and CPS environments has been a key factor in why responsibility for CPS cyber risk management has shifted largely to IT-focused cybersecurity practitioners in recent years. These conditions are also why many of the ways in which CPS differ from IT are often not only overlooked — but are further complicating efforts to secure CPS.

Table 2 details some of those key differences and their implications for cyber risk.

Table 2: Comparing IT and CPS (OT) cyber risk.

Tips for getting started with CPS cyber risk management

An ideal CPS cyber risk management program is one that effectively and efficiently assesses, prioritises and reduces the CPS exposure to cyber risk. Starting such a program doesn’t happen overnight; it’s a journey.

Begin with asset discovery

It is nearly impossible to manage CPS cyber risk without visibility into all assets comprising your CPS environment. Discovering those assets should be phase zero of your CPS cyber risk management journey because it is foundational to all subsequent CPS cyber risk controls. Here’s a high-level overview of an asset discovery strategy:

1. Define visibility goals

Align with stakeholders on your current CPS visibility and cybersecurity objectives. Using those insights, define goals for CPS visibility — the first of which should be to gain a full CPS inventory as the foundation of your CPS cyber risk management program.

2. Choose discovery methods

Next, determine which asset discovery methods will fulfil your CPS visibility goals, and then select a reputable vendor that supports them all. You will likely need to combine several of the following methods to discover all CPSs in your environment:

• Passive monitoring: leverages switches and ports in the environment to copy traffic, which is sent to a server for analysis to identify the CPS present
• Active queries: targeted queries in the asset’s native protocol to discover CPS in the environment.
• Project file analysis: parses project files on components of CPS environments, and doesn’t require direct connectivity.
• Host-based discovery: installs a file on ‘host’ assets in the CPS environment, executes the file to collect details from hosts and nearby CPS, and then dissolves the file.
• Integration-based discovery: extracts key CPS details from the environment’s existing infrastructure, such as switches, firewalls etc.
   

3. Implement discovery methods

Working with your chosen CPS security vendor, execute your discovery methods until you can verify that all CPS technologies have been populated within your centralised CPS inventory.

4. Enrich CPS profiles

Validate that your CPS inventory provides a fully enriched profile with a granular list of details for each asset in your environment. If key, asset-level details are missing, overlay an additional discovery method to fill in the gaps.

Ensure you can accurately score your CPS cyber risk posture

Nearly all CISOs in critical infrastructure sectors are now expected to ensure their organisation’s CPS cyber risk posture is accurately reflected in the broader risk score shared with executive leadership. Aside from full CPS visibility, this also requires a risk scoring mechanism that:

• Reflects the broad range of risk factors and controls in the CPS environment: Every CPS environment has various factors and controls that contribute to its cyber risk posture — and as such much be considered and quantified by the CPS cyber risk scoring mechanism in order for the scores it delivers to be accurate.
• Is flexible, customisable and transparent: Your CPS environment is unique, which is why your risk scoring mechanism must enable you to customise how different variables are weighted based on what matters (or doesn’t) to your organisation.
• Scores cyber risk at multiple levels: Different levels of risk scores support different use cases.
   

Score levels should include:

• Asset risk scores: Each asset in your CPS environment requires a cyber risk score, reflecting the likelihood and potential impact of a cyberthreat compromising that asset.
• Site risk scores: The average cyber risk score of all assets at one of your CPS environment’s sites reflects the CPS cyber risk posture of that site.
• Environment risk scores: The average cyber risk score of all assets across all sites comprising your CPS environment reflects your organisation’s CPS cyber risk posture.

Use risk scores to prioritise and assess the impact of controls

The accuracy of a CPS cyber risk scoring mechanism is critically important because the scores it generates should be used as the basis for determining which cyber risk controls to deploy, how to prioritise them, and how to assess their impact on the CPS environment. These scores can be particularly useful for helping answer questions such as:

• Dozens of assets in my CPS environment are affected by the same CVE; which should I remediate first?
• How should I allocate my budget for cyber risk controls between the various sites comprising my CPS environment?
• To what extent has my network segmentation initiative affected my organisation’s CPS cyber risk posture?

Consider the operational limitations of controls

As noted earlier, the OT and other assets that comprise CPS environments not only underpin critical physical processes but they are also largely incompatible with standard cybersecurity approaches. Many of the controls commonly used in IT environments aren’t feasible to implement for all CPS in all circumstances. Such limitations can vary widely across assets and environments, but common ones include:

• Vulnerability scanning: Solutions that are widely used to scan IT assets for CVEs generate too much traffic to be safely used in CPS environments. Instead, use a CPS-specific solution that passively correlates asset details with CVE databases to pinpoint vulnerable CPS.
• Patching: Patching any vulnerability typically requires downtime, which most CPSs cannot tolerate due to the processes they underpin. Instead, consider alternative cyber risk controls, such as network segmentation, to compensate for the risk at hand without downtime.
• Endpoint security: Antivirus, EDR and other types of standard endpoint security solutions utilise agents, which tend to be incompatible with many types of CPS. Just as with patching, network segmentation and other alternative controls should be considered instead.

Keep tabs on the regulatory landscape

Another key component of any CPS cyber risk management program is the cybersecurity regulatory landscape, which has evolved considerably in recent years amid increases in the frequency and impact of cyber incidents affecting CPS environments. There are now more CPS-specific regulations than ever, so it’s crucial to track those relevant to your organisation, their requirements for compliance, and how audits work.

Closing

As all types of CPS continue to proliferate across critical infrastructure sectors, managing CPS cyber risk will only become a more crucial — and, likely, more challenging — responsibility for cybersecurity practitioners. The insights and tips shared throughout this article are intended to help you grasp some of the basics of this responsibility, but it is crucial to remember that, above all else, it’s a journey.

Top image credit: istock.com/energyy