Cyber Physical Systems Security (CPS)

What is cyber physical systems security (CPS)?

According to the National Institutes of Health’s National Library of Medicine, the term cyber physical systems (CPS) was introduced in 2006 to describe “an orchestration of computers and physical systems” where “embedded computers monitor and control physical processes, usually with feedback loops, where physical processes affect computations and vice versa.”

In simple terms, CPS security combines computer-based algorithms (i.e., the “cyber” part) and physical processes or components (i.e., the “physical” part) to perform a task or solve a problem in the real world.

CPS security integrates computer-based intelligence with the physical world to monitor, control, and optimize processes. Common across various industries and applications, cyber physical systems play a crucial role in improving efficiency, automation, and connectivity in daily lives and industries.

What are examples of cyber physical systems?

More recently, Gartner has used the term cyber-physical systems to describe all connected technologies essential to digital operations and infrastructure across industries. As such, cyber physical systems include elements associated with the Internet of Things, operational technology (OT), and Internet of Medical Things, like sensors, building management systems, and healthcare devices.

Examples of CPS include:

• Self-driving cars
• Smart medical devices and telemedicine systems
• Smart factories

What is the difference between a cyber physical system and an Internet of Things (IoT) device?

Closely related, the terms CPS and IoT are often used interchangeably. However, they are distinct from one another. A cyber-physical security system can minimize human involvement, but an IoT device can eliminate it.

While self-driving cars can make navigation decisions through a combination of sensors, cameras, radar, lidar (remote sensing), GPS, and a sophisticated onboard computer system, they still must be able to communicate with their human passengers. For instance, they might request human intervention when they encounter scenarios they find challenging or ambiguous.

On the other hand, a smart thermostat (an IoT device) can make decisions and take actions on its own. The thermostat (physical component) interacts with the room’s temperature but is also connected to a computer system (cyber component) that processes information and makes decisions based on the data it receives from the thermostat. The computer system can adjust the temperature settings and even turn the heating or cooling system on or off to maintain the desired temperature.

Why is cyber physical system security important?

The interconnected nature of CPS significantly increases cybersecurity risks and the attack surface. “Due to their very nature, cyber-physical systems face security threats unlike those affecting enterprise IT systems,” says Katell Thielemann, VP Analyst for Gartner, says, “They are typically used in operations or mission-critical environments where value is created for organizations, so attackers are increasingly targeting them.”¹

Examples cited include:

• Ransomware attacks bringing down gas pipelines, halting logistics operations and disrupting steel production
• GPS spoofing affecting ship navigation

With a growing number of devices and systems being interconnected, security challenges will only grow. As Gartner underscores, “Due to the nature of cyber-physical systems (CPSs), incidents can quickly lead to physical harm to people, destruction of property or environmental disasters.” With that in mind, “Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.”²

In fact, a report by ABI Research found that malware targeting IoT devices climbed 700% during the pandemic, and targeted over 500 different types of devices. Moreover, the attacks have grown increasingly sophisticated, putting both networks and data at risk.

What are common cyber physical system security challenges?

Since cyber physical systems process information while also managing and optimizing physical outcomes – whether related to a single process or an entire ecosystem – traditional security approaches fall short. Moreover, these systems often fail to consider security.

As the Department of Homeland Security says, “Advances in networking, computing, sensing and control systems have enabled a broad range of new [CPS and IoT] devices. These systems are being designed and deployed now, however, security often is left for later…”

Consider that Forescout Research – Vedere Labs discovered 56 vulnerabilities affecting devices used in industries including oil and gas, chemical, nuclear, power, manufacturing, water, mining, and building automation. These vulnerabilities are the result of insecure-by-design practices in OT, yet many of these products are sold as “secure by design” or have been certified with OT security standards.

Complicating matters is difficulty patching CPS (aka vulnerability management). With so many interconnected devices – often a mix of old and new assets – and varying protocols comprising a CPS, it’s challenging to pinpoint what needs patching. Even once the root cause or true threat has been identified, patches need to be tested on each individual device. It doesn’t help that there’s a shortage of talent with specialized security skills.

Another major issue is the different priorities of IT and OT security teams. IT teams usually prioritize data confidentiality over integrity and availability. On the other hand, OT teams prioritize data availability over integrity and confidentiality. Furthermore, since most IT and OT security teams operate as separate entities, they lack a holistic view of security threats.

What should security professionals look for in a CPS protection platform vendor?

In its , Gartner defines cyber physical systems (CPS) protection platforms as “products and services that use knowledge of industrial protocols, operational/production network packets or traffic metadata, and physical process asset behavior to discover, categorize, map and protect CPS in production or mission-critical environments outside of enterprise IT environments.”³

As security and risk management (SRM) leaders evaluate their options and narrow their selection, Gartner advises they should review the following capabilities and features:

• Discovery, visibility and categorization of CPS assets. In addition to passive port mirroring and deep packet inspection, many platforms include active queries using a variety of means (e.g., native industrial protocols, project file analysis from assets like human-machine interfaces (HMIs). Some solutions support far more industrial communication protocols.
• Detailed pedigree of assets. Most solutions commonly display the following attributes:
  • Asset name, category, type, vendor, model, serial number; connection info (first seen, last seen, last modified, persistence)
  • IP and MAC addresses, wireless AP location
  • OS/software/firmware versions
  • Network, subnet, virtual LAN (VLAN)
  • Patch level
  • Open ports

  More advanced features include financial profile, device owner, latitude and longitude geographic info, USB devices and status, contextual physical process-centric variables, and can be configured for custom attributes.

• Deployment models. While most solutions offer on-premises, cloud-based (private or public), or hybrid options, many also require the deployment of physical, virtual, or container-based sensors. Inquire to understand ease and speed of deployment, along with time to value.
• Detailed network diagrams and data flows. Most solutions enable visualizations of linkages and data flows between all assets and enable drill downs. Look into the visualization formats and whether it’s possible to visualize multiple views at multiple levels.
• Network segmentation. To contain the attack surface and limit the reach of any threat, proper segmentation is critical. Most solutions allow security teams to group segments by multiple attributes (e.g., VLAN, asset category or type, security posture). and can generate a segmentation approach to be used by common network access control (NAC) or firewalls solutions. More advanced solutions can compare expected and actual firewall configurations, align to specific frameworks like IEC-62443, recommend policies based on operation or industry context, and more.
• Vulnerability management. Most protection platforms “correlate the outputs from asset discovery with common vulnerability and exposures (CVE)/manufacturer recall databases and third-party vulnerability repositories, prioritize for known exploited vulnerabilities, flag unsecure application usage and default passwords, provide remediation guidance including alternative compensating controls, and provide a ticketing mechanism to track actions. More advanced solutions:
  • Include a mechanism to prevent IT scanners from touching CPS
  • Provide a contextualized risk score based on asset criticality and likelihood of exploitability
  • Enhance findings and risk score with real world knowledge of their research teams.”
• Threat intelligence management. Most solutions include indicators of compromise (IoCs) and tactics techniques and procedures (TTPs) from threat intelligence feeds and dvisories, signature-based detections, reports aligned to the MITRE ATT&CK for ICS framework, flagging of anomalous behavior. More advanced solutions can deliver raw telemetry for analytics deep dives, attack simulations maps, ingestion of machine-readable threat intelligence data in STIX/TAXII format, industry-specific threat intelligence curated by research teams. They can also ingest unique/customized threat intelligence feeds and monitor USB ports.

Gartner advises Security and Risk Management leaders’ pilot 3-4 CPS protection platforms. Once the chosen platform is deployed, SRMs should integrate the platform’s output into centralized IT security tools while continuously sharing CPS monitoring data with engineers, maintainers, and operators.

How does Forescout help with cyber physical system security??

Forescout’s data shows that around 24% of connected devices in every organization are no longer traditional IT. The growing number and diversity of connected devices introduces new challenges when it comes to understanding and managing risk exposure.

As digitalization accelerates the convergence of our physical and cyber worlds, security professionals are contending with the growing complexity and vulnerability of previously isolated OT, ICS, and CPS networks.

Any environment relying on CPS need continuous asset discovery, assessment and governance to detect and remediate cyber threats before they lead to operational or security incidents – and regulatory fines and downtime.

Our security solution can reduce operational and security risk in CPS environments.

Forescout automates the discovery, assessment and governance of all OT, IoT and IT assets to reduce cyber and operational risk. The Forescout Platform continuously identifies and mitigates risk across all cyber assets in an organization’s digital terrain, including sensitive OT/ICS/CPS. We offer a continuously expanding Industrial Threat Library and ICS-specific Indicator of Compromise (IOC) & Vulnerabilities (CVE) database to passively identify any threat to operational continuity and assess every connected asset’s risk. Updated regularly, it contains thousands of behavioral checks and threat indicators to protect asset owners from advanced cyberattacks, network misconfigurations and operational errors.

For even greater protection, organizations can leverage Forescout Assist, a threat analytics engine that combs through vast amounts of asset, networking and log information to identify and prioritize the most critical threats.

In addition, Forescout provides a unique Asset Risk Framework that calculates two risk scores for each asset, evaluating both cybersecurity and operational risk. Based on impact, they are continuously refreshed using detected events associated with the asset, proximity to other potentially infected or misbehaving assets, communication links, known vulnerabilities and other details. These multifactor risk scores enable OT engineers and security teams to make informed decisions and prioritize the right actions.

¹ Gartner, Develop a Security Strategy for Cyber-Physical Systems, Susan Moore, April 13, 2021
² Gartner Press Release, “Gartner Predicts 75% of CEOs Will be Personally Liable for Cyber-Physical Security Incidents by 2024”, September 1, 2020. https://www.gartner.com/en/newsroom/press-releases/2020-09-01-gartner-predicts-75–of-ceos-will-be-personally-liabl
³ Gartner, Market Guide for Cyber-Physical Protection Platforms, Katell Thielemann, Wam Voster, June 29, 2023