24 Mar Developing an Action Plan for Cyber-Physical Systems
Developing an action plan for cyber-physical systems is an integral part of a complete risk management program that continues to grow in importance. According to Gartner, “By 2023, 75% of organizations will restructure risk and security governance to address new cyber-physical systems (CPS) and converged IT, OT, Internet of Things (IoT) and physical security needs, which is an increase from fewer than 15% today.”1
RiskWatch interprets this drastic increase as a sign that businesses are understanding the new threats and vulnerabilities of their organizations that are not currently being addressed. Addressing cyber-physical systems allows companies to mitigate risk, increase preparedness, and better align their organizational goals.
What Are Cyber-Physical Systems?
So, what is a cyber-physical system? As defined by the National Science Foundation, cyber-physical systems integrate sensing, computation, control and networking into physical objects and infrastructure, connecting them to the Internet and to each other.” Shortly, a CPS is an integration of computation, networking, and physical processes. While this integration brings about new potential, there are new risks as well. This integration means that cyber attacks can affect physical assets, and the reversal is also true. This reality demands a unified vision for cyber and physical security.
Benefits of a CPS Plan
While a lot of resources are required in establishing a proper CPS plan, the benefits of this effort are invaluable. At a surface level, an organization can say that they are simply mitigating risk, but the reality delves much deeper into the ability of the organization to continue to operate. A proper CPS plan will unify vision and communication, eliminating any gaps between teams and increasing transparency. Operations maintain reliability as the possibility of system shut down is reduced. Reputational risk is reduced as the possibility of a data breach decreases. Shipments are delivered on time thanks to cybersecurity efforts. The list goes on. The focus then shifts to how an organization can begin the planning process.
Steps for the plan
Understand Risk and Perform Current State Assessment
The first step in creating your plan is to understand the types of risks that exist and the impact they can cause to your organization. This knowledge sparks the CPS planning process and creates a champion for the management process.
Develop Goal and Perform Gap Analysis
After assessing the current state of your organization, you’ll be in a position to set your goals. In this stage of the process, consider company goals and vision, and determine how changes will help align your organization with those goals. The gap analysis will clarify where you are at and where you need to be to ensure you are secure.
Action List to Mitigate Most Important Risks
After performing a gap analysis, your next step is to interpret the severity of each of the risks you have identified. This creates a solid action plan for your organization, determining what will be done and in what order. As you solidify this action plan, be sure to clearly dictate the end goal or expected result of each action to show how it helps reduce risk and align you with set goals.
Secure Resources and Communicate Risk
The next step is to present this information to the board, upper management, or whomever will authorize the resources to execute the action plan. The designated champion must properly communicate all data collected thus far, stating the disconnect between current state and the ideal, discussing how the selected actions will improve the bottom line.
Implement Policy and Changes
Once approval is received, it is time to implement changes, either alone or with a team. These changes will have been identified from your action plan and will close gaps. The necessary policies and trainings will be implemented to communicate changes across the organization and ensure changes are effective. This includes physical security measures and controls.
Report on results
No effort is validated without supporting data. The sixth step in the CPS plan is to report on any results of lack thereof from the action plan. This report should clearly indicate the state of the organization prior to action, what change was implemented, and how this affected the organization. It is important to note that not every action will have a definable change, but simply further mitigates a risk or better aligns your organization with an end goal.
The final step in the process is to continuously monitor this aspect of your organization, looking closely at action items and refining where needed. Not all implemented changes will remain effective as CPS technology develops and priorities will switch as the relationship to organizational goals changes. This is the opportunity to ensure that strategy is being executed as planned until the process repeats and you can benchmark progress over time.
RiskWatch for CPS Planning
According to Gartner recommendations, SRM leaders should “Follow a classic current-state assessment, gap analysis, prioritization, approval and reporting process flow to formalize the vision into actions. This will create a fact-based business case approach that will help purposefully rally the organization behind common objectives.”1
RiskWatch asserts we meet this recommendation, helping SRM’s through not only the current-state assessment but also the CPS planning process and creating a roadmap. We provide content for the current-state assessment that can be customized and provide a standardized workflow and tech for the required functions. The software identifies gaps and often recommends remedial action, which aids in creating an action list and prioritizes efforts with risk scores. The platform tracks progress on tasks, creating transparency across departments and easy follow-up. Customizable reports and instant data analysis highlight efforts and identify progress made. RiskWatch software enables continuous monitoring, supported with trending risk and compliance scores.
To read more Gartner recommendations on developing a CPS strategy as well as their detailed process, click here for complimentary access to their report.
1 Source: Gartner, How to Develop a Security Vision and Strategy for Cyber-Physical Systems, Katell Thielemann, 4 April 2029, Refreshed 1 September 2020, Published 4 April 2019