Connect with us

Hi, what are you looking for?



Our Rising Dependency on Cyberphysical

In a previous column, I discussed how “cyberphysical” is an appropriate term to capture this new world we are entering, where machines operate automatically and rapidly based on real-time feedback. The next step is to understand why this cyberphysical matters to the wider population that these machines will service.

In a previous column, I discussed how “cyberphysical” is an appropriate term to capture this new world we are entering, where machines operate automatically and rapidly based on real-time feedback. The next step is to understand why this cyberphysical matters to the wider population that these machines will service. We can then assess levels of risk in order to better develop a culture of cyberphysical security.

The most notable trend is that critical services we rely on are increasingly dependent upon cyberphysical interactivity. The scope of these critical services continues to broaden and deepen across industries, especially as the functionality and speed of devices is more widely understood.

To me, nothing offers a more direct example of cyberphysical dependency than heart pacemakers. More than three million people rely on these devices every day, and 600,000 new implants are performed each year (American Heart Association). These cyberphysical devices not only manage electrical impulses in the human body, but they can also connect to external, remote systems for diagnosis and adjustments. Security takes on new meaning when you consider how and where these cyberphysical systems reside.

Another set of cyberphysical interactions occur to deliver our electricity, which we ambitiously consume at approximately 18,000 TerraWatts a year. How many of us can go 60 minutes without an electrical charge to our cell phones? Smart meters, not to mention power generation control systems, play a part in delivering this critical energy service.

Moving forward, we can envision a host of additional cyberphysical systems beyond these two examples, managing and impacting our daily lives. Many have seen self-driving cars, which are expected to grow at 134% CAGR in the next five years (not to mention electric cars, another dependency back on our power generation systems). Or consider home automation systems and maritime cargo monitoring.

As a security specialist, while I anticipate great reward from these new types of cyberphysical systems, I also envision the need for better protection. The dependency on cyberphysical systems exposes the broader population to a variety of risks.

While I will outline here some of these risks, be assured that my follow-on column will discuss solutions. My intent is to help readers visualize the relevance of cyberphysical systems in day-to-day lives, as background to why new approaches to security are required. And while our researchers handle very targeted and device-specific vulnerabilities behind closed doors, I will discuss in public only broad strokes of exposure, rather than risk proliferating any attack specifics.

Advertisement. Scroll to continue reading.

As an initial example, many readers may be familiar with home automation systems that now include thermostats with remote control capabilities. Researchers have already performed “jail break” attacks to take over such temperature-altering devices, building upon prior attack lessons learned. Similar to information security holes in enterprise devices, these consumer thermostats lack robust security measures.

Amidst pressures to be “first to market,” it is not uncommon for manufacturers to trade off convenience and price for limited protection. In some cases, it might not even be a conscious design decision. Considering our growing dependency on cyberphysical systems, however, security testing seems an obvious addition (but I will discuss solutions further in my next column).

In other industries, it is less a rush to the consumer market triggering risks than it is a status quo regarding defining what constitutes “safe.” In the energy sector, offshore oil rigs were once “air gapped” and not connected to other systems.

Today, devices from as far afield as transportation and government services have typically been prioritized by physical security implications first. Will seat belts cause more injuries or save more lives, for example, or how will devices from state clinics affect the medical condition of citizens? Today, as cyber merges with physical inside vehicles and operating rooms, “safe” needs a new perspective. Has the system been tested against remote control access? If a cyberphysical device receives false commands, what are the implications?

These are just two examples of different dimensions of risk we are exposed to as we enter the cyberphysical era. The high level of machine-to-machine interactivity, the speed of sharing real-time information automatically, and the trade off of convenience for security in product lifecycle management will all contribute to new levels of risk as cyberphysical systems emerge.

Considering our increasing dependence on these critical systems, the onus is on our industry to devise new and better security models. In my next column, I will illuminate options for how we can move forward, including implementing security measures much earlier in the design lifecycle.

Related Event: Learn More at the ICS Cyber Security Conference

Related Reading: Cyberphysical Security: The Next Frontier

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.