Let’s Get Cyber-Physical

Integration of the physical world is one of the key differences between IT from OT. Where information technology is mostly about collecting and using digital data, OT uses that data to impact sensors, valves, actuators, sprinklers and numerous other elements of the physical world. And as the cyber-physical world evolves, unique security and safety risks grow with it.

“Due to their very nature connecting the cyber and physical worlds, Cyber-Physical Systems (CPS) greatly enlarge the threat landscape and consequences for organizations, whether they come into existence out of IT/OT convergence, IoT, IIoT or smart “X” programs. As a result, they require special focus when it comes to risk management,” write the authors of Gartner’s  2021 Hype Cycle for Cyber and IT Risk Management.

“Unlike enterprise IT systems that mainly transact data, CPS connect both the cyber and the physical worlds, and are usually deployed in operational or mission-critical environments,” Gartner continues. “This means that CPS risk management efforts need to focus on human safety and operational resilience, above and beyond traditional information risk management efforts. This is because an incident could impact both the real world and an organization’s bottom line or mission.”

The National Institute for Standards and Technology (NIST) has developed a framework for advancing CPS. The framework encompasses smart systems that interact with networks of physical and computational components. (Figure 1). To NIST, CPS are highly interconnected and integrated to provide new functionalities to improve quality of life and enable technological advances in critical areas, such as:

• personalized health care
• emergency response
• traffic flow management
• defense and homeland security
• energy supply and use

If all of this sounds like IoT, IIoT, Industry 4.0, M2M, Smart Cities and other related terms that’s because NIST has concluded, there are significant overlaps, and the framework encompasses all. More important to NIST is how CPS differs from conventional product, system and application designs in the following ways:

• CPS generally involve sensing, computation and actuation.
• CPS may be System of Systems (SoS).
• Emergent behaviors are to be expected of CPS, due to the open nature of CPS composition.
• CPS need a methodology to ensure interoperability, managing evolution and dealing with emergent effects.
• CPS may be repurposed beyond applications that were their basis of design.
• CPS are noted for enabling cross-domain applications.
• CPS should be freely composable.
• CPS must be able to accommodate a variety of computational models.
• CPS must also support a variety of modes of communication.

• CPS comprise of systems that range from standalone to highly networked.
• The heterogeneity of CPS leads them to display a wide range of complexity, which must be addressed in any design.
• There is typically a time-sensitive component to CPS, and timing is a central architectural concern.
• CPS, together or individually, ‘measure’ and sense and then calculate and act upon their environment, typically changing one or more of the observed properties (thus providing closed-loop control).
• CPS are characterized by their interaction with their operating environment (as indicated by the sensing and control loop(s) discussed above.
• The CPS environment typically includes humans, and humans function in a different way than other CPS components

The NIST document includes more detail on these features. Gartner places CPS at the very early stages of its hype cycle and doesn’t foresee an impact for 5-10 years. Some of Gartner’s reasons it is taking this long relate to limited communications between business units and the security team, siloing of security functions, continued focus on security-centric risk management and IT, shortage of appropriately skilled personnel, and lack of understanding of cyber-physical risks.

Design features that could accelerate the advancement of cyber-physical solutions include pinless electronic backplanes, antitamper processing modules and widescale compliance with standards such as the following could speed adoption of cyber-physical solutions:

• GE Achilles System Certification, which helps control system vendors to formally illustrate compliance to cyber-security requirements specified by the IEC 62443-3-3 standard
• NIST/Canadian Government FIPS-140, which validates cryptographic modules
• International Electrotechnical Commission (IEC) ingress protection ratings, which grade the resistance of an enclosure against the intrusion of dust or liquids.
• U.S. Military Standard 461 (MIL-STD-461F) and International Electrical Commission 61000 (IEC 61000) which rate protection from electromagnetic pulse (EMP.)

Whether you call it CPS, IIoT, Industry 4.0 or whatever, the need to protect at both the cyber and physical layers is fundamental. At Bedrock, we call that Open Secure Automation.

For more information on how Open Secure Automation is leading in the move to cyber-physical systems see the article: OT for Resilience and Resilience for OT.