- Cyber-physical systems require a dual focus: engineering and cybersecurity
- Assessing cyber-physical risks is a continuous process, evolving alongside technology and emerging threats
In the world of cybersecurity, it seems like experts can’t agree on anything — especially when it comes to the terms surrounding IT/OT convergence. One might think that the term “convergence” refers to a delightful fusion of Information Technology (IT) and Operational Technology (OT), like a perfect cup of teh tarik. However, the reality is more akin to a Malaysian family gathering, where everyone is debating whether the rendang was made right. Some say IT and OT should work together seamlessly, while others insist, they’re better off in their own corners, throwing passive-aggressive comments about who made the best sambal. These disagreements set the stage for the challenges we face in understanding cyber-physical systems.
Let’s break down the difference between information systems and physical systems. Think of an information system as your favorite online shopping platform. If something goes wrong — like a glitch that prevents you from checking out your cart — you might be frustrated, but you can always try again later. On the other hand, a physical system is more like a roller coaster. If that goes wrong, you’re not just dealing with a bad day; you might be facing a thrilling (and not in a good way) ride to the emergency room. The consequences of a failure in a physical system can be catastrophic and that’s where the stakes get high.
For over 40 years, we’ve been adding computing devices and software to physical systems– turning physical systems into cyber-physical systems-, thinking we’re making them smarter and more efficient. However, with each new computing device we add, we’re also adding another target for hackers. It’s like inviting more guests to a party, only to realise that each one of them has a penchant for causing chaos. And let’s not forget about data in motion — it’s the bloodline for automation. Just like blood keeps our bodies functioning, data keeps our systems alive and kicking. But if that data gets intercepted or corrupted, we might find ourselves in a world of hurt.
When it comes to cyber-physical systems, we have two sides to consider: engineering and cybersecurity. Engineering focuses on making sure everything runs smoothly, while cybersecurity is like the overprotective parent, constantly worrying about what could go wrong. Both sides need to work together, but often they’re like oil and water — each believing they know best. The reality is that without collaboration, we’re setting ourselves up for failure.
Assessing cyber-physical risks involves a complex process that incorporates the cyber-attack path into the traditional Hazard and Operability Study (HAOP) and Health, Safety, Security and Environment (HSSE) frameworks. These frameworks are process centric in nature and not device centric. This is where the bow-tie model comes into play. Imagine a bow-tie: on one side, you have potential hazards, and on the other, the consequences. In the middle, you have controls that can prevent those hazards from turning into disasters. By integrating the cyber-attack path into this model, we can better understand how a cyber incident could lead to physical consequences. It’s like playing chess, where each move can have a cascading effect on the game.
In the bow-tie model, we identify the threats and vulnerabilities associated with cyber-physical systems. This involves looking at how a cyber-attack could exploit weaknesses in the system and lead to physical harm. By doing so, we can prioritise our controls so that we’re addressing the most significant risks. It’s a bit like playing a game of whack-a-mole — just when you think you’ve taken care of one issue, another pops up. But with a structured approach, we can stay one step ahead.
Finally, it’s essential to remember that assessing cyber-physical risks is not a one-time event; it’s an ongoing process. As technology evolves, so do the threats we face. Regularly revisiting our risk assessments and controls is crucial to staying ahead of the game. It’s like maintaining a car; if you ignore the check engine light, you might find yourself stranded on the side of the road.
Understanding cyber-physical systems and their associated risks is no small feat. It requires collaboration between engineering and cybersecurity, a structured approach to risk assessment and a commitment to ongoing vigilance to remain process centric. As we navigate this complex landscape, let’s remember to keep the lines of communication open and work together so that our systems remain safe, reliable, available and secure. After all, in the world of cyber-physical systems, it’s better to be safe than sorry — especially when the stakes are as high as they are.
Jaco Benadie is a Partner, Technology Consulting, Ernst & Young Consulting Sdn. Bhd. The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.
(Except for the headline, this story has not been edited by PostX News and is published from a syndicated feed.)
