There is a fourth industrial revolution coming. Following the lean revolution of the 1970s, the outsourcing phenomenon of the 1990s and the automation that took off in the 2000s, cyber-physical systems have become the next frontier.
When it comes to IoT, the convergence of smart connected devices ($26 billion by 2020 according to Gartner, $212 billion by 2020 according to IDC) and their role in cyber-physical systems surfaces several important security concerns. These include scalability (the capability of a system, network or process to handle a growing amount of work), pervasiveness (also called ubiquitous computing) and persistence (referring to the characteristic of a computing state that outlives the process that created it). These security issues may also lead to a dramatic increase in threats against a much larger attack surface which many enterprises may not be ready to undertake.
The burning platform
Historically, the edge of a network — for example, internet-connected “things” — was not connected to an IP-based network and was out of the jurisdiction of the CIO. Advances in communication protocols, the miniaturization of electronic devices and the advent of IPv6 have enabled the expansion of the network to these new elements of the enterprise. With this increase also comes an increase in revenue opportunities, but at what cost to enterprise security?
A cyber-physical system can be defined as a large physical system that can be part of a system of systems (SoS) where a distributed set of computing elements interact to control, monitor and manage the exchange of information from machine-to-machine, machine-to-human or to other cyber-physical systems. Characteristics of these cyber-physical systems can include physical distribution of systems, distributed control, supervision and management, subsystem autonomy, dynamic behaviors and reconfigurations as well as continuous evolution of the cyber-physical system itself. Also, as part of this cyber-physical SoS, there may exist within it a number of partially physically or programmatically coupled elements, where some other elements may be able to provide services independently.
The lack of built-in security in cyber-physical systems can result in unauthorized access to services and data, exposure of key enterprise elements, compromise of private data, denial of services, backdoors and malware, as well as loss or damage to critical infrastructure. As an example, the global market for network intrusion detection and prevention equipment and services is estimated at $95 billion and expected to reach $155.7 billion by 2019, while at the same time the role of threat actors such as cybercriminals, nation states, hacktivists, cyberterrorists and insiders continues to accelerate at an unprecedented rate in terms of cybercrime specialization, monetization schemes and tactics, and exploits.
Cyber-physical systems increase the attack surface and, as a result, an important aspect of this new cybersecurity frontier is the need to go beyond confidentiality, integrity and availability to protect cyber assets and extend it to a physical system to provide stability, controllability and observability (MITRE, AFCEA Conference 2016). Stability refers to the ability of a cyber-physical system to provide services within specified criteria. Controllability refers to challenges related to time- and event-driven computing, software, variable time delays, failures, reconfiguration and distributed decision support systems. Observability is used to achieve resilience within a network.
What should I do next?
Organizations should start by evaluating their cyber-physical systems in terms of six control areas: confidentiality, integrity and availability as well as stability, controllability and observability. The impact of this new paradigm will require cyber-risk practitioners to work with the physical systems engineers they support and develop new techniques to monitor and control infrastructure and enable its performance.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.