How do you deal with Cyber-Physical technology convergence challenges?

You are a security specialist for a large bank – if asked, most would categorize your organization’s infrastructure as IT.

But the truth is, you are responsible for as many OT assets as a medium-sized manufacturing facility considered a “pure” OT entity.

So in reality, your domain of expertise should include all physical assets, regardless of their “legacy” categories.

Gartner has identified this challenge and created a converged term for it – Cyber Physical Systems. Is it just another acronym to make our lives even more complicated? Let’s dive into it and find out…What are my assets?

The first question one needs to answer when managing asset risks is: what are my assets? The simplest answer would be that if it’s connected to any of your networks, any of your hosts, or has an impact on your physical surroundings, then it should be included as part of your asset list. The second question is: why is that important? Because the cliché in this case is correct: you can only manage the risks you know.

“Am I expected to go and start counting A/C chillers on my rooftop?” Well, if those systems are connected to your network, even just as a communication infrastructure for the subcontractor running their maintenance remotely, then yes, it’s on you. Why? Because they could be the entry point of your next attack, and having them shutdown due to ransomware will remind you very quickly that servers do not run well without A/C.

If your employee working from home is using their own risky devices, such as a vulnerable gaming mouse, it’s also on you. Why? Because if an attacker, aware of the known vulnerability, gets their hands on the mouse, they can take screenshots of your cloud-based salesforce platform and leak them as part of a data-leakage campaign or “classic” IP theft.

So yes, you got it right, almost everything is on you.What do I know about PLCs?

You’ve been around an IT environment all your career. You do remember that someone mentioned PLCs, RTUs in your early college years, but you left it to that electrical engineer guy… what was his name.. John something…? So regrettably, whether you think it’s your responsibility or not, if your OT infrastructure gets used as an entry point, you’re the one to the blame – and no “blame-storming” will help when you face an angry board.

You don’t have to be an electrical engineer to claim cybersecurity ownership of those previously “unfamiliar” assets. But you do need to be aware of their existence and impact on business continuity, focusing on those that pose the highest risk.Jumping Jack

But how are you meant to manage different environments effectively when you have to jump between multiple solutions to get one answer? And to complicate things even more, each solution comes from a different vendor, mentioned in three different market guides. It’s like when you’re having a domestic night out (because your babysitter stood you up and called in sick) and want to watch a comedy, but there’s no unified list of all your options. Instead, you need to browse through several different platforms – Netflix, HBO, or Disney. Why? They are all providing the same service, being watched by the same TV, by a single person – why complicate things? Cybersecurity shouldn’t be any different. It should be as simple as, “Hey Siri! Show me the top five risky assets in our main datacenter.” And the response should be a quick: “Here you go – you have one spoofing device detected in the power-station running your datacenter, two wireless combo mice detected on your trading floor, and John, working from home, just had a keylogger connected to his endpoint.”

Changing the terminology to Cyber Physical Systems instead of IT/OT/IoT is not just a linguistic convergence, it’s a change in state of mind, understanding that your security scope is much broader than you think. It might be overwhelming, but the good news is that as the future is moving towards convergence, so will cybersecurity tools.So, what should you do in the meantime? Start with enhancing your asset visibility and embrace the zero trust concept by continuously verifying every connected asset and validating its risk level to establish trust (or not). Get involved in every aspect of your infrastructure; even if you don’t know every single asset’s function (e.g., a certain PLC), you still need to make sure that it’s verified and trusted (even if an external utility company is managing that asset).

As always, stay safe – dolphins, who are considered one of the smartest mammals, sleep with one eye open: an approach worth considering when managing asset risks.