CISOs need to completely rethink their approaches to protecting endpoints such as operational technology ( OT ) assets and connected medical devices . These assets are referred to as cyber-physical systems ( CPS ) – a term that encompasses the fact that these assets have one foot in the digital world and the other in the physical world . This inherently brings the risk implications of a cybersecurity breach to a whole new level .

For instance , on one end of a connected medical device , there might be a patient , or in an industrial plant . CPS is connected to equipment that has safety implications like pipelines , water treatment equipment , elevators and production lines . That ’ s why these organisations have a culture oriented toward change aversion , as opposed to an IT culture of rapid change .

In addition to the safety implications , there are additional operational , environmental and risk constraints that need to be considered . First , due to the safety implications , these assets are infrequently updated or patched – even though in many cases they might be rife with vulnerabilities and high-risk exposures .

Second , in many cases these assets are incredibly capital-intensive investments requiring assets to be used for years after the software and operating systems are no longer supported by the vendors – so they can ’ t be patched .

Third , these systems are frequently unmanaged , so in many cases , you can ’ t install endpoint security software on these assets . Finally , in the case of medical devices , government regulation limits the ability to patch these assets without approval .

When you put these factors together , it ’ s clear that CISOs of asset-intensive organisations need to take different approaches to ensure the cybersecurity of CPS assets compared to IT devices . The most successful organisations take a business- and consequence-oriented approach to understand the organisational impact of a cyberattack to focus their efforts .

They also take a different orientation , shifting their aperture from the asset identity – such as a critical HMI or PLC to an asset purpose view – understanding how a set of assets need to work together as a system to understand how a failure of one asset could impact the whole business process . With that understanding , there are two critical processes organisations need to get right : patching where and when possible and implementing compensating controls such as network segmentation to take entire classes of cyber-risk off the table .

It ’ s clear that CISOs of asset-intensive organisations need to take different approaches to ensure the cybersecurity of CPS assets compared to IT devices .

GRANT GEYER , CHIEF PRODUCT OFFICER , CLAROTY

WWW . INTELLIGENTCISO . COM 29