Product Security Glossary

Cyber-Physical System Security

What is Cyber-Physical System Security? 

Cyber-Physical System Security is the set of practices, policies, and design principles that help ensure the security of cyber-physical systems. 

What are Cyber-Physical Systems? 

Cyber-Physical Systems, or CPS, are networks of embedded sensors, actuators, and processors.  They interact with the physical world in real-time, and support safety-critical applications.  Examples include the automatic collision prevention systems in modern cars, medical systems that can automatically adapt to real-time conditions, smart electrical grids, systems that control valves and motors in industrial plants, and much of the world’s critical infrastructure.  Another example that’s in the not-so-distant future would be that of self-driving cars. 

Why is Cyber-Physical System Security Needed? 

Cyber-Physical System Security involves the usual aspects of cyber-security that concerns us all.  Safety is also an important aspect, because Cyber-Physical Systems mostly deal with safety-related functions.  For example, a malicious actor who hacks into a medical system could potentially stop someone’s heart.  Several years ago, a pair of security researchers scared a tech journalist out of his wits by taking control of his car from the comfort of their own office, simply by finding the car on the Internet and breaking into its entertainment system.  Malicious actors could cause power outages for millions of people by breaking into the smart electrical grid.  Clearly, Cyber-Physical System Security is badly needed. 

Are there Real-world Examples of Problems with Cyber-Physical System Security? 

We mentioned the case of the security researchers who took control of a journalist’s car.  That was a demonstration in which the journalist agreed to participate.  But, the researchers didn’t do anything that a skilled, malicious hacker couldn’t have done. 

In February of 2021, someone penetrated the control system for a water treatment plant in Florida, USA.  The attacker then tried to add potentially dangerous amounts of sodium hydroxide to the water supply.  The saving grace is that a plant operator noticed the intrusion, and stopped it before it could do any harm. 

In 2017, parts of Turkey suffered power outages.  Turkey’s energy minister claimed that cyber attacks were to blame. 

How can Cyber-Physical System Security be Enhanced? 

For every Cyber-Physical System, security must be a prime consideration throughout the entire product lifecycle.  Security needs to built into the products during the planning, design, and development stages.  Trying to bolt security onto a product after it’s been built can be more costly, and can result in products that aren’t secure.  After a system has been released for sale, manufacturers need to continuously monitor for security events that may affect their products, and provide a way to apply security patches to systems that might be vulnerable. 

Many Cyber-Physical Systems are part of the Internet of Things, which introduces a major attack vector.  IoT devices need to implement security be design. A focus should be put on elementary access control, proper communication & authentication, and validating the lack of known vulnerabilities in the device before it is sold and used.  

Care must be taken to ensure the security of the networks to which the Cyber-Physical Systems belong.  This would include security audits, penetration testing, constant monitoring of what’s going on with the network, and keeping systems updated. 

Cyber-security is important for any networked system.  As you can see, Cyber-Physical System Security is especially important.