Gartner report reveals trends and recommendations for cyber resilience as cyber-physical systems incidents increase.
Each year, global research and advisory firm Gartner offers their top predictions on how to secure cyber-physical systems.
In their latest report, “Predicts 2020: Security and Risk Management Programs,” Gartner looks at trends in CISO missions, geopolitics, talent management and cyber-physical systems. The report provides insight on cyber-physical incidents and Internet of Things security threats and includes recommendations for driving holistic security risk management programs.
“Every year, Gartner analysts offer their predictions on what they see as the key issues facing the business and IT practices and markets they cover,” Gartner says. “Gartner’s security and risk management analysts have developed a set of representative predictions in this space for 2020 and beyond.”
According to this report, this year, cyber-physical systems incidents will accelerate calls for corporate and personal liability. As a result, Gartner predicts IT security, operational technology security, CPS and IoT security functions will merge into a single, centrally controlled, corporate security organization.
For this reason, Gartner recommends organizations identify all of their connected assets regardless of how they are classified. Whether IT equipment, OT equipment, building management systems, smart appliances, or other IoT devices, the security of these devices is interconnected.
“Many enterprises are not aware of cyber-physical systems (CPSs) already deployed in their organization,” Gartner says. “However, operational technology (OT), smart buildings, smart cities, connected cars and autonomous vehicles are evolving, and incidents in the digital world have an effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.”
Gartner predicts that by 2023, the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion. That’s 10 times higher than the financial impact of data security breaches in 2013.
“[I]ncidents with CPS can lead to situations where human safety is jeopardized and cyber-physical casualty reporting will replace reports on data breaches,” Gartner says. “These casualty events will be incidents that lead to loss of life rather than loss of data. Even without taking the actual value of a human life into the equation, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will dramatically exceed the 2013 costs of data breaches.”
Additionally, Gartner predicts that by 2024, liability for CPS incidents, which impact human life or the environment, will lead to personal liability for 75 percent of CEOs. As a result of the increase in CPS incidents, Gartner predicts that governments will drastically increase rules and regulations for CPSs.
“This will occur once the effects of successful attacks or incidents due to negligence in establishing a cyber-physical security function have demonstrated impacts to life and limb,” Gartner says. “Because they are engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans), incidents involving CPS can quickly lead to physical harm to people, destruction of property or environmental disasters. Since attacks against these systems are increasing, all industries are now being targeted, and given the little security focus and spend today that aligns to these assets, CPS incidents are likely to increase sharply in the coming years.”
Last year, the United States Senate proposed the Corporate Executive Accountability Act , which would add to existing mandates under Occupational Safety and Health Administration. The bill would further hold executives liable for negligence in employee safety-related situations. According to the Gartner report, a bill like this will become law by 2022. Additionally, Gartner predicts that by 2022, a court will find a CEO liable for his or her company’s failure to implement basic security measures that would have prevented a fatal CPS incident.
“Because the safety of citizens is an inherently governmental concern, regulators and governments will react promptly to an increase in serious incidents,” Gartner says. “Organizations will be forced to rethink their risk profiles, realizing that focusing primarily on data security as an IT issue when increasingly connected systems live in a cyber-physical world creates blind spots. These spots will not be defensible and will instead be treated as negligence.”