Should CEOs take responsibility for cyber-physical security incidents?

According to Gartner, 75% of CEOs will be held personally responsible and accountable for cyber-physical security incidents.

Due to the nature of cyber-physical systems (CPSs), incidents can quickly lead to physical harm to people, destruction of property or environmental disasters. Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.

Cyber-physical security

Gartner defines CPSs as systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).

They underpin all connected IT, operational technology (OT) and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure and clinical healthcare environments.

“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” commented Katell Thielemann, research vice president at Gartner.

“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”

IoT ushering in the era of physical/digital convergence

The IoT has created an array of opportunities for the manufacturing industry. The ability to augment physical devices in real-time underpins this. Read here

Growing financial impact means the CEO must take charge

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023.

Without taking the actual value of a human life into the equation, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” continued Thielemann.

“The more connected CPSs are, the higher the likelihood of an incident occurring.”

A convergence of the physical and digital

With OT, smart buildings, smart cities, connected cars and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organisation, either due to legacy systems connected to enterprise networks by teams outside of IT, or because of new business-driven automation and modernisation efforts.

“A focus on ORM — or Operational Resilience Management — beyond information-centric cyber security is sorely needed,” Thielemann added.

Avatar photo

Nick Ismail

Nick Ismail is the editor for Information Age. He has a particular interest in smart technologies, AI and cyber security.

Related Topics

Gartner