As digital systems continue to control the cyber-physical systems (CPS) that power the modern world, tried-and-true approaches to security are facing unprecedented challenges. Among those challenges, which have been greatly amplified by the convergence of IT and operational technology (OT), is rethinking how traditional IT risk management can be adapted for the unique needs of CPS.
CPS environments are inherently complex. Paired with this complexity is the sensitive nature of what they control. For example: when an IT server gets compromised, data is the target, and the fallout could include financial losses and reputational damage. If a CPS device gets compromised, however, the resulting damage hits the real world first. Heart monitors and infusion pumps that keep hospital patients alive, water treatment plants, and electrical grids are all examples of the mission-critical infrastructure that makes up CPS, and underscore the severity of why they need to be properly protected.
This necessitates why security teams must rethink traditional risk management frameworks (RMFs) to protect CPS. What’s more, these frameworks need to account for the core pillars of CPS protection, which include asset inventory, network protection, exposure management, threat detection, and secure access.
What Are Examples of Risk Management Frameworks?
The main obstacle faced by asset operators and security teams is that there’s no purpose-built risk management framework for CPS in existence. That means existing frameworks such as the NIST CSF, ISA/IEC 62443, and NERC-CIP have to be used as a guide for securing CPS, and the road to doing this is far from a straight line. Let’s look at the most commonly used RMFs in the IT sector and how they could be applied to protect CPS.
ISA/IEC 62443
This framework provides a thorough methodology for identifying and mitigating risks for CPS assets. It includes a set of requirements for all stakeholders involved in the design, implementation, and maintenance of industrial control systems (ICS). CISA strongly encourages critical infrastructure organizations to adopt this framework, as it’s a global industry-standard framework for security as well as compliance.
Implementation of the IEC 62443 framework for CPS relies heavily on microsegmentation throughout an enterprise network. In a hospital environment, for example, this might look like separate zones being created for increasingly sensitive equipment. This would prevent lateral movement or manipulation of an MRI machine or surgical arm if an attacker successfully breached one layer of the network.
NIST CSF
The National Institute of Standards & Technology (NIST) has a high-level cybersecurity framework that provides guidance to a wide swath of organizations, including critical infrastructure, U.S. federal government agencies, and any others looking to improve risk management.
NIST CSF also has an OT-centric component called NIST SP 800-82, which puts maximum emphasis on compensating controls that can be deployed instead of patching a device. This is a win for production-heavy environments that can’t be taken offline easily, and treats compensating controls as a more permanent solution than a temporary workaround.
NERC-CIP
The North American Electric Reliability Corporation Critical Infrastructure Protection initiative differs slightly from the other two examples above, in that it’s legally enforceable framework that protects the bulk electric system. It establishes controls that must be in place, mandates policy development, and governance approaches that manage risk within the electric sector..
Carrying potentially heavy fines for noncompliance, NERC-CIP also emphasizes the importance of protecting the physical environment just as much as the digital. It acknowledges that an attacker might not even need to break into a network—they could theoretically be a disgruntled employee walking into a data center with a set of bolt cutters.
Applying Risk Management Frameworks Across Cyber-Physical Systems
Implementing any of these risk management frameworks successfully within a CPS environment requires organizations to start making fundamental changes to tried-and-true security approaches. This means more than just a rethinking of tools and techniques; entire philosophies of risk management must shift in any scenario in which CPS controls digital systems and processes.
Of course, this all starts with getting a comprehensive understanding of all connected assets within an enterprise network. If you can’t see it, you can’t protect it—and many of the existing frameworks emphasize the importance of asset inventories and asset management as a foundational element of CPS protection.
The caveat in this scenario, however, is that CPS risk management is a practice that functions more effectively when asset owners move beyond an asset-centric approach. When owners move to a strategy that’s based on potential business impacts of a critical device being compromised, they get the details and context they need to fully protect their business.
Why is an asset-centric approach to risk management insufficient to protect CPS?
CPS Assets Pose a Higher Risk
From water treatment facilities to electrical grids, the critical infrastructure protected by CPS is simply too important to leave to chance. Attacks on CPS are growing in frequency as well as costs, with public safety hanging in the balance.
Granularity is the Key
Typical solutions and safeguards designed with IT first in mind are inadequate means of defense when it comes to protecting CPS. To protect such sensitive systems, it’s important to have a granular understanding of each device’s configurations, communication pathways, and what role they play in the broader organization.
Reducing Risk in Physical Environments
Asset-centric models typically assess vulnerabilities without accounting for impacts in the physical world. For example, a vulnerability that could allow manipulation of industrial equipment might present a far greater risk than something that simply protects data.
Evolving RMF into a Continuous Practice with Claroty
By systematically adapting the RMF to address the unique characteristics of CPS, organizations can develop strategies that effectively manage risk without causing operational downtime. With its impact-centric approach to risk management, the Claroty Platform can help organizations get there.
By taking a programmatic approach to risk management, Claroty can help organizations reduce risk, ensure operational integrity, and stay within regulatory compliance through a strategy that’s tailored to fit your specific business. Get started by requesting a free demo, and get on the path to holistic CPS protection.
