As cyber-physical systems (CPS) protection matures as a discipline, dedicated cybersecurity governance becomes a strategic necessity that helps CIOs, COOs, and CISOs ensure uptime, insurability, reliability, and safety of operations.
The caveat here is that traditional—and understood—IT governance frameworks that are familiar to cybersecurity teams are insufficient for oversight of operational technology (OT) assets, internet of medical things (IoMT) devices, smart building automation systems, and overall CPS environments.
The stakes are also incomparable because IT governance fails to go far enough to ensure that hackers cannot cause physical damage to aspects of production lines, interrupt services, create environmental hazards, or threaten the safety of employees and/or the general public.
This blog will explain:
The strategic necessity for CPS security-specific governance frameworks
Why resilience must be the driving force behind governance
What existing governance frameworks can be tailored for CPS protection
Operational realities have changed for many enterprises. The introduction of connectivity for once-isolated operational systems and the rapid adoption of artificial intelligence (AI) for everything from predictive analytics to informing data-based workflows is forcing technology and business leadership to reconfigure governance priorities.
CPS is at the core of that new reality, with automated factory floors, remotely managed building automation, and advanced medical technology making up a modern new tech stack that must be protected. A governance approach designed to mitigate and measure risk to servers, email, and endpoints is too limited for CPS environments.
Furthermore, threat actors understand the fundamental weaknesses of CPS, including the legacy technology underpinning critical processes. OT, for example, is designed to be operational for decades, and is often too expensive to replace. Compensating controls are often the only solution for organizations knee-deep in internet-facing assets running legacy operating systems and communicating over ancient and insecure protocols.
Threat actors, meanwhile, are finding it trivial to exploit these exposures, often with decidedly low-tech hacks that amount to using default or known credentials to access systems connected to the internet. These assets are being enumerated and leveraged at scale to attack organizations in certain industries or regions, often for geopolitical gain.
A mature CPS protection program must implement governance frameworks that ensure operational continuity, cyber resilience, and safety and reliability. Unlike traditional IT governance, CPS governance cannot prioritize security controls that negatively impact operational availability. A poorly implemented security policy that disrupts industrial operations can create consequences equal to—or worse than—the cyber threat itself.
Effective CPS governance frameworks should focus on operational resilience as the primary business outcome. Organizations should structure governance programs around four foundational pillars that from top to bottom ensure that organizations can withstand breaches and maintain uptime and reliability.
CPS security governance requires coordination between cybersecurity, operations, engineering, safety, compliance, facilities, and executive leadership. Fragmentation is the enemy of governance with competing incentives and misunderstood priorities often enhancing risk to the overall organization.
Business leaders must engage executive leadership and lobby for their sponsorship of CPS governance, laying out the strategic and operational necessity for it. Executives must, for their part, make IT and OT/IoT/IoMT leaders share accountability for protecting CPS environments. Risk ownership must be defined and assigned, with oversight ultimately laying with the executive suite and the board.
Cybersecurity governance becomes far more effective when operational resilience is treated as a shared business objective rather than a siloed security initiative.
CPS assets are complex and mapping interactions and dependencies is an indispensable first step in any protection program. Organizations must strive for a comprehensive asset inventory in order to not only understand dependencies, but the data will inform how the rest of the protection program is developed and implemented.
Operational leaders must not be satisfied to have a list of assets and call it an inventory. Asset information must be organized into a CPS-specific taxonomy that is regularly updated and physically validated in order for it to be useful.
What constitutes “useful” asset information? Start with asset discovery and insist on obtaining software and firmware information, network communication mapping, identification of external connections, third-party access mapping, and process dependencies, for starters.
This visibility enables organizations to understand how cyber incidents could impact physical operations and business continuity.
Governance programs should emphasize resilience-oriented architectures that assume compromise is inevitable. The most important mitigation is segmentation, an oft-cited compensating control in any CPS environment that is essential to operational continuity even during a compromise because it reduces the likelihood an incident propagates laterally into operational systems.
Segmentation guarantees the isolation of sensitive network zones from the public internet and/or business networks in order to limit an attacker’s ability to burrow deeper onto the network. Organizations should view segmentation as a tool to force traffic through security monitoring and detection in order to block malicious traffic and log potentially illicit activity. Advanced segmentation programs may also involve microsegmentation where security tools are moved closer to workloads and applications, further isolating them from backend systems such as databases.
An effective governance policy must therefore define who develops, approves, and audits network segments. Zero trust should be the overarching governance principle for secure remote access and privileged operational accounts. The principle of least privilege must govern how zones interact, and who has access to them. Organizations should also periodically determine whether zones must change in order to meet evolving business requirements or new technology deployments.
CPS governance must account for operational recovery planning as part of overall incident response. Resilience is nested within an organization’s ability to not only withstand incidents, but also recover quickly from them. Any governance exercise and framework must be developed around operational impacts, safety considerations, and physical process recovery.
Standardized CPS-specific incident-response playbooks are essential. Operational teams, including engineers, must be involved in writing these playbooks. They understand safety systems and the potentially negative impacts of certain processes that can cause physical damage to equipment or put people at risk for harm. Governance frameworks must account for these safety-integrated procedures, and develop contingency plans that center on manual operations if IT or OT systems fail for a given period of time.
Testing these frameworks through quarterly or biannual tabletop exercises is mandatory. These exercises bring stakeholders together to evaluate the effectiveness of recovery processes, and without a governance framework laying out these mandates, recovery operations will likely introduce unacceptable downtime or reliability issues.
A CPS governance program must be built on top of an established framework that guides operations toward resilience and recovery in the event of an incident. The most widely adopted framework is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF 2.0), a governance model centered around identifying, protecting, detecting, responding, recovering, and governing cyber risk.
Others that may be referenced include:
International Society of Automation ISA/IEC 62443 for industrial automation and control systems security
NIST SP 800-82 for industrial control systems security guidance
ISO 27001 for enterprise information security governance
CISA Cross-Sector Cybersecurity Performance Goals (CPGs)
CPS cybersecurity governance is an indicator of a mature organization that understands the operational impact of downtime due to a cyber-related incident. Regulators, insurers, investors, and customers increasingly expect organizations to demonstrate operational resilience against cyber threats.
Governance programs that integrate cybersecurity with operational continuity, safety, and resilience are becoming essential to maintaining trust and reducing business risk. CPS governance is about ensuring that critical operations remain safe, reliable, and resilient despite a sophisticated cyber threat landscape that is frequently leveraging CPS to gain a foothold within organizations.
Talk to a Claroty expert to improve CPS governance and how the Claroty Platform can help.
How CPS Resilience Enables Data Center Sustainability
Meet Claire: The Industry’s First CPS-Native AI Security Agent
Instantly Visualize Your CPS Environment with AI
Interested in learning about Claroty's Cybersecurity Solutions?
Life, uninterrupted
We maximize your availability, strengthen your insurability, and support compliance to ensure operational resilience.