Attacks on organizations in critical infrastructure sectors have risen dramatically, from less than 10 in 2013 to almost 400 in 2020. That’s a 3.900% increase! The impact can also be lethal, and yet incursions can easily go unnoticed. The risks are significant and real. It’s not surprising, then, that governments worldwide are mandating more security controls for mission-critical cyber-physical systems.  

The crux of the problem is that traditional network-centric, point solution security tools are no longer sufficient to combat the speed and complexity of today’s cyberattacks. This is particularly the case as operational technology (OT), which connects, monitors and secures industrial operations (machines), continues to converge with the technology backbone that processes the organization’s information. 

"Over time, the technologies that underpin critical infrastructure have become more digitized and connected to enterprise IT systems and sometimes to each other, creating cyber-physical systems," says Gartner VP Analyst Katell Thielemann. "CPS are composed of both legacy infrastructure deployed years ago without built-in security and new assets, which are also deployed full of vulnerabilities." 

This evolution leaves all CPS at significant risk of attack by hackers and bad actors of all kinds, including CPS that forms the foundation of critical infrastructure.  

What is critical infrastructure? 

Critical infrastructures may include commercial facilities, communications, energy, financial services, water and wastewater systems, and other similar sectors, depending on the country. 

Not only is each of these sectors critical to the proper functioning of modern societies, but they are also interdependent, and an attack on one can have a direct impact on others. In many countries, critical infrastructure is state-owned, while in others like the U.S., private industry owns and operates a much larger portion of it. 

Two cyber-physical systems predictions to consider 

CPS in critical infrastructure is too new an area in which to develop highly accurate security predictions, but Gartner’s strategic planning assumptions raise awareness of important scenarios that can help you consider and prioritize security initiatives. 

Here are two, and the related actions required.

No.1: By 2024, a cyberattack will so damage critical infrastructure that a member of the G20 will reciprocate with a declared physical attack. 

Action: Coordinate closely with military leaders who will soon be involved in defence of private enterprises (for example, by establishing responsibility for that coordination). 

No. 2: By 2024, 80% of critical infrastructure organizations will abandon their existing siloed security solutions providers by adopting hyperconverged solutions to bridge cyber-physical and IT risks. 

Action: Accelerate the convergence of the CPS security stack, and bolster strategies to mitigate risk by evaluating suppliers of critical infrastructure devices and software against best-of-breed product security features. 

Action: Develop an adequate CPS security strategy by deploying a holistic approach in which OT, the Internet of Things (IoT), industrial IoT and IT security are managed in a coordinated effort, not in isolation. Also identify and fill gaps in capabilities, and invest in threat intelligence support. 

Recommendations for cybersecurity leaders  

The key is to develop a holistic, coordinated CPS security strategy while also incorporating into governance emerging security directives for critical infrastructure. Equally important is conducting a complete inventory of OT/IoT security solutions used within your organization, as well as performing an evaluation of standalone or multifunction platform-based security options to further accelerate CPS security stack convergence. 

Source: Gartner, inc.