Garter has predicted 75% of CEOs will be held personally liable for attacks on cyber-physical systems (CPSs) by 2024. CPSs are defined by Gartner as “systems engineered orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).”
Cyberattacks on these systems would not only result in data loss, outages, and equipment failure, they could also easily cause physical harm and loss of life. CPSs include medical devices such as patient monitors and drug pumps. An attack on these devices could easily result in patients not being provided with treatment or they could stop the delivery of life-saving drugs or cause patients to receive an overdose.
These systems are not limited to healthcare. They are also found in smart buildings, smart cities, autonomous vehicles and connected cars. Incidents in the digital world could easily result in catastrophic effects in the physical world.
Gartner has predicted the cost of attacks that result in fatal casualties could reach $50 billion by 2023. Regulators and governments would have no alternative other than to hold CEOs personally liable if they fail to adequately secure these systems and the systems are attacked resulting in physical harm.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner. “In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
Many enterprises may not be aware of the extent to which CPSs have been deployed in their organization through new business-driven automation and modernization effects, or the connection of legacy systems to their enterprise networks by teams outside of the IT department.
“A focus on ORM – or operational resilience management – beyond information-centric cybersecurity is sorely needed,” said Thielemann.