In the world of cybersecurity, it seems like experts can’t agree on anything — especially when it comes to the terms surrounding IT/OT convergence. One might think that the term “convergence” refers to a delightful fusion of IT (information technology) and OT (operational technology), like a perfect cup of teh tarik.

However, the reality is more akin to a Malaysian family gathering, where everyone is debating whether the rendang was made right. Some say IT and OT should work together seamlessly, while others insist they’re better off in their own corners, throwing passive-aggressive comments about who made the best sambal. These disagreements set the stage for the challenges we face in understanding cyber-physical systems.

Understanding cyber-physical systems

Let’s break down the difference between information systems and physical systems. Think of an information system as your favorite online shopping platform. If something goes wrong — like a glitch that prevents you from checking out your cart — you might be frustrated, but you can always try again later.

On the other hand, a physical system is more like a roller coaster. If that goes wrong, you’re not just dealing with a bad day; you might be facing a thrilling (and not in a good way) ride to the emergency room. The consequences of a failure in a physical system can be catastrophic and that’s where the stakes get high.

The risks of cyber-physical systems

For over 40 years, we’ve been adding computing devices and software to physical systems, turning them into cyber-physical systems, thinking we’re making them smarter and more efficient. However, with each new computing device we add, we’re also adding another target for hackers. It’s like inviting more guests to a party, only to realize that each one of them has a penchant for causing chaos.

And let’s not forget about data in motion — it’s the bloodline for automation. Just like blood keeps our bodies functioning, data keeps our systems alive and kicking. But if that data gets intercepted or corrupted, we might find ourselves in a world of hurt.

When it comes to cyber-physical systems, we have two sides to consider: engineering and cybersecurity. Engineering focuses on making sure everything runs smoothly, while cybersecurity is like the overprotective parent, constantly worrying about what could go wrong. Both sides need to work together, but often they’re like oil and water — each believing they know best. The reality is that without collaboration, we’re setting ourselves up for failure.

Risk assessment frameworks

Assessing cyber-physical risks involves a complex process that incorporates the cyber-attack path into the traditional HAZOP (Hazard and Operability Study) and HSSE (Health, Safety, Security and Environment) frameworks. These frameworks are process-centric in nature and not device-centric. This is where the bow-tie model comes into play. Imagine a bow-tie: on one side, you have potential hazards, and on the other, the consequences. In the middle, you have controls that can prevent those hazards from turning into disasters. By integrating the cyber-attack path into this model, we can better understand how a cyber incident could lead to physical consequences. It’s like playing chess, where each move can have a cascading effect on the game.

In the bow-tie model, we identify the threats and vulnerabilities associated with cyber-physical systems. This involves looking at how a cyber-attack could exploit weaknesses in the system and lead to physical harm. By doing so, we can prioritize our controls so that we’re addressing the most significant risks. It’s a bit like playing a game of whack-a-mole — just when you think you’ve taken care of one issue, another pops up. But with a structured approach, we can stay one step ahead.

Finally, it’s essential to remember that assessing cyber-physical risks is not a one-time event; it’s an ongoing process. As technology evolves, so do the threats we face. Regularly revisiting our risk assessments and controls is crucial to staying ahead of the game. It’s like maintaining a car; if you ignore the check engine light, you might find yourself stranded on the side of the road.