Cyber-physical systems (CPS) have rapidly become the central nervous system of our society. Due to criticality, CPS requires better oversight. Maturity in this area cannot wait any longer.
From building management and automation systems (BMS) that streamline operational processes, to the HVACs,, water pumps, and access controls underpinning daily life—CPS are ubiquitous.
The more connected we become, the more vulnerable we become.
Yet across the public sector—especially at the state, local, tribal, and territorial (SLTT) levels—governance of CPS risk is mostly an afterthought. Many leaders don’t know what assets they have, let alone their threat exposure levels. In this age, invisible and unmanaged CPS assets are the trojan horse.
A reality check is needed, because CPS systems are here to stay. Bringing the CPS risk domain into full view is imperative; failing to govern CPS risk effectively is a potential threat to public health, safety, and trust.
A Restless Threat Landscape and Our Quality of Life
Regardless of our status, public goods contribute mightily to our way of life.
Investopedia defines a public good as any product or service that is available to all residents of society, and these include infrastructure, public healthcare, clean air, and clean water. A vast and evolving threat landscape awaits each of these critical services, largely dependent on the resilient operation of CPS. Many of these services sit at an intersection of common and shared threats.
Worse,economically insecure and disadvantaged groups are the most at-risk when things fall apart and many ofthem reside within communities exposed to multiple risk factors.
Why Cooling Centers are a Critical Service
Critical services will fail–and fail spectacularly–if comprehensive oversight and governance remain lacking. This is especially true given that CPS underpins many services critical to a functioning and healthy society. People depend on municipalities to provide some of these services in a pinch when the going gets tough.
Take cooling centers, for example.
Vulnerable groups such as the elderly or the poor have relied on this service for many years as our planet has been heating up. According to the World Health Organization, “heat-related mortality for people over 65 increased by 85% between 2000-2004 and 2017-2021”. In large cities especially, the risk to public health is substantial, owing largely to design and architectural makeup.
Across the country, heat advisories necessitate the operation of cooling centers to provide relief to vulnerable groups as a matter of public health. Most cooling centers operate in municipal buildings: police stations, community centers, senior centers, and public libraries often provide essential cooling as a public good.
The problem is, the systems forming the foundation of cooling operations are often unsegmented, largely discoverable by threat actors, and mostly uncontrolled. Commonly, remote access to these systems is provisioned within master service agreements (MSAs) that do not always explicitly call out secure remote access restrictions and platforms.
HVAC systems and the administrators are among the heroes delivering these bastions of relief, a critical service.
Modern HVACs rely on systems of sensors, programmable logic controllers (PLCs), relays, and communication networks, which can fail and carry a degree of risk and vulnerability. For example, if any of these components were to fail within the HVAC system at a public library, there’s potential for real community impact upon public health. Policymakers and analysts have been taking note.
Whether we’re talking about cooling operations during the summer or warming operations during the winter, lack of cyber-operational governance within these public goods could have cascading consequences for public health, and HVAC is only one example.
The Importance of CPS Governance
If you are on the cyber frontlines, when you read the word governance you may think of red tape and ivory towers. Like enterprise architecture, many recoil at the thought.
If you are a leader, then you’ll know that in an ideal world, governance is the mechanism through which we turn detection into protection. Governance is how we move from visibility to swift and accurate action with leadership support; and action is what saves lives, services, and protects against cascading failures.
Due diligence is required.
Typically, when we hear about due diligence, we think of mergers and acquisitions (M&A). After a business enters into talks to buy or merge with another, there’s a period where the acquiring company must discover any material oversights or weaknesses in the deal’s structure or the soon-to-be-acquired entity’s business operations; the acquiring business is taking on a lot of potential risk, and it must work collaboratively to reduce that risk to an acceptable level to protect the deal and preserve shareholder value. Due diligence can be viewed as the defense layer of M&A.
Risk information must be synthesized, flowing freely to risk owners within the organization.
Policy decision and enforcement points must perform continuous due diligence on available risk information prior to allowing subjects access to objects, and throughout the life of a subject-object interaction. This is only possible by doing a lot of homework at wire speed. This is what makes the promise of zero-trust architecture (ZTA) so powerful.
If we think of cooling centers as a service to be delivered, then the service must be designed and governed in a way that considers human impact and builds resilience into the service from the start. The net result is availability of a vital public good is protected and assured. For critical infrastructure owned and operated by the public sector, continuous due diligence fosters public good.
Why Funding CPS Security for Critical Services is Essential
Fortunately, in the case of cooling centers, this is not just a security conversation.
This is an opportunity to fund resilience efforts using federal, state, and even philanthropic grants designed expressly for modernizing a public good.
HUD’s CDBG Grants allow for HVAC and physical access control systems (PACS) system improvements in low and moderate-income areas. As there have been many changes and retractions to federal funding programs, be sure to check eligibility requirements within the link provided.
The Department of Homeland Security (DHS) has set aside more than $100M in funding to improve the cybersecurity capabilities within communities across the U.S., territories, and tribal lands. The State and Local Government Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TGCP) will make up the Notice of Funding Opportunity (NOFO). The SLCGP has earmarked $91.7M while the TGCP has $12.M for these and similar improvements.
Public sector leaders who recognize the CPS footprint for cooling centers and demonstrate visibility, segmentation, and enforceability, are better positioned for grants, ratepayer trust, and insurance underwriting acceptance.
Bridging the Strategy-Execution Gap
For state and municipal leaders, visibility is the key to risk awareness. Governance and cyber risk management require CPS awareness—and operational technology risk in total—now more than ever.
Flat networks are still all too common today, so unfortunately it is not uncommon to find an HVAC system on the same broadcast domain as the smart TV in the village hall’s conference room, for example. That is alarming.
Dissimilar systems sitting adjacent to each other on the same network only gives threat actors a convenient means to execute on their motives, where the point of entry may not be the point of attack. Unmitigated risk makes their jobs much easier.
CPS and networks are constantly emitting valuable data for your operation; this data can be transformed into insights that inform defense layers within your operation. As an arbiter for IT/OT, Claroty’s xDome, provides invaluable, actionable cyber intelligence with a variety of approaches:
As a first step, xDome’s Edge allows you to discover service-critical CPS assets and functions as a complement to classic passive monitoring. Once surfaced, asset data is streamed from Edge into xDome or CTD for continuous enrichment.
Provide secure remote access to remote workers, contractors and third-party support personnel using xDome Secure Access, or xSA. With it, you can authorize, monitor, and record remote access sessions to your discovered CPS assets.
Once assets are discovered, xDome business impact and risk configurations allow you to assign qualitative risk and impact scores to groups of assets based on their device purpose or orientation within the enterprise.
Then, using xDome’s building management or physical security risk configuration feature, facility managers or cybersecurity teams can further enhance the risk information layer to incorporate custom weights for risk factors such as known-exploitable vulnerabilities (KEVs), or deployed devices comprising the physical security perimeter which are at end-of-life.
The xDome MITRE ATT&CK for industrial control systems (ICS) then provides a view highlighting assets with active alerts relating to common tactics techniques and procedures targeting ICS systems.
Utilize Claroty’s automatic recommendation engine and deploy zone policies which provide another layer of integration with point solutions within your extended cybersecurity stack.
Finally, generate customer reports at the site level by leveraging xDome’s multi-site aggregation functionality. These reports are designed to help you articulate risk posture from the organizational level, site level, down to the device level.
It’s said that a chain is only as strong as its weakest link. The weakest link in cybersecurity programs is often governance.
Modern cybersecurity programs must be comprehensive if they’re going to be effective, and they’re only as good as the risk information they receive. Governance shouldn’t be a bad word. When done well, it is a vital part in a feedback loop. What’s more, good governance doesn’t have to break the bank. It merely requires vision and diligence.
For the good of society, it’s imperative that we develop governance capabilities across state and local governments which empower our utility managers, facility managers, and cybersecurity leaders to execute swiftly.
Visibility and detection are not enough. CPS protection demands we continuously monitor for risk—moving swiftly to close the gap between identification and mitigation, and strategy and execution.
