Securing Cyber-Physical Systems

Uploaded on 2025-07-01 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Manufacturing

As AI, IoT and automation continue to transform how hospitals, factories, energy networks and transportation systems operate, the associated security risks are no longer just an IT issue. A breach in a connected device or error in automated decision-making can now have physical consequences and pose a threat to public safety.

According to Dr Francesca Boem, Senior IEEE Member and Associate Professor at UCL, we need to adopt a systems perspective to secure these increasingly complex, hybrid systems. Focusing on digital defences alone risks overlooking critical vulnerabilities lying at the intersection of software, hardware and the physical world. Control Engineers can play a key role in this context.

Q: Cyber-physical systems have existed for years, but we’re hearing more concern about them now. What’s changed?

The boundaries that previously existed between digital and physical systems have been blurred to the point that they no longer exist. There has been also a shift in the type and targets of the attacks, from the cyber to the physical world. Rather than traditional data protection, we need to start protecting behaviour, of our systems and devices. In a cyber-physical system, a compromised sensor has the potential to shut down an entire production line. Similarly, an error within an AI system could cause a robotic surgeon to move at the wrong moment. These aren’t abstract threats, as you can see, they now carry real consequences.

This shift comes down to scale and complexity. We’re connecting many more systems to networks, decision-making is being automated in almost every industry and we’re embedding more AI systems into critical infrastructure. With many of these systems needing to be ‘always on’, we're now facing risks that can’t be solved by traditional IT defences like reboots or patching. And problems can propagate easily.

Q: Many organisations rely on established cybersecurity frameworks. Why aren’t they enough when it comes to cyber-physical environments?

We still need traditional frameworks but they aren’t built for how physical systems behave. In the digital world, we tend to focus on privacy and data protection, while that emphasis shifts to availability and timing in a control system. Just a few milliseconds of delay might be acceptable for loading a website but it becomes a big problem when you’re controlling pressure in a chemical reactor or adjusting a ventilator in a hospital.

There’s also a difference in tolerance for disruption. In an IT environment, if something goes wrong, you might reboot a server – but in operational technology, you can’t just restart a power grid or stop a production line without causing significant and widespread disruption.

Cybersecurity in these environments must account for system dynamics. That’s where control engineering comes in, to provide the tools we need to model, predict and manage system behaviour, even when that system is under attack. It is also a matter of increasing layers of protection: as attacks become more sophisticated, and the consequences of attacks more severe, expert knowledge and models can help adding security to traditional frameworks. 

Q: For organisations managing complex or legacy infrastructure, how realistic is it to improve security without a complete system overhaul?

At this point, it is not important how easy it is, companies must evolve because the potential risks are too costly. You don’t need to rebuild everything from the ground up to make meaningful progress. One of the most important first steps is awareness of the risks and accurate asset mapping – and that can’t just come from automated scans or outdated reports. It needs input from the engineers and technicians who work with the systems every day. They’re the ones who know where the undocumented connections or improvised fixes are hiding, and that kind of insight is essential.

Another effective step is segmenting the network. Isolating safety-critical systems from general operations helps limit the reach of any potential breach. Even simple measures like protocol filters or data diodes can prevent threats from spreading and contain problems before they escalate. Employees training is also fundamental.

Q: Once those basics are in place, what else can organisations do to strengthen resilience in day-to-day operations?

Understanding how your system should behave is crucial. That’s where models based on physics, as well as historical data, can help. 

These models give you a picture of what 'normal' looks like. For instance, if a pump suddenly uses more energy than expected during a routine task, that should raise a flag. Whether it’s a mechanical issue or a sign of interference, it’s something the system needs to detect and respond to as soon as possible. 

It also makes sense to think about what happens when something does go wrong, how to make the systems resilient Rather than shutting everything down, the system should be designed to fall back to a safe, controlled state where operations can continue, even in a limited way. That kind of built-in fallback, which is often called graceful degradation, contains the impact and keep things stable.

And finally, make sure your team is prepared. Everyone should know exactly what to do when digital systems are compromised, from switching to manual control to protecting core processes while systems recover. Those human decisions, especially in the first few minutes of an incident, will often make the biggest difference.

Q: What’s the biggest mindset shift organisations need to make when it comes to securing cyber-physical systems?

The biggest shift is understanding that cybersecurity is built into the system itself, not something that sits alongside it. In connected environments, security comes from how the system is designed to respond, adapt and stay safe under pressure.

It’s not enough to rely on monitoring or quick fixes. These systems need to be designed from the start to behave safely, even when something goes wrong. Cybersecurity teams need to understand process control and engineers need to understand digital threats.

The tools are there. Digital twins, formal verification methods and better modelling can all help – but none of it works in isolation. Securing today’s cyber-physical systems means building systems that are prepared for them. That only happens when IT, engineering and operations work together from the very beginning.

Dr Francesca Boem is an IEEE Member and Associate Professor with the Electronic and Electrical Engineering Department at University College London

Image: Ideogram

You Might Also Read:

What Industrial Organisations Can Learn From Nation-State Cyber Attacks:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Building A Future-Ready GenAI Security Strategy

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Intercede

Intercede

Intercede is a cybersecurity company specializing in digital identities, derived credentials and access control, enabling digital trust in a mobile world.

Agenci

Agenci

Agenci are specialists in cyber security and information security and deliver ISO 27001 Certification.

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA) offer commercial insurance services including Cyber Liability insurance.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

Red Snapper Recruitment

Red Snapper Recruitment

Red Snapper Recruitment is a market leading staffing services provider to the law enforcement, cyber security, offender supervision and regulatory services markets.

ICS Cyber Security Conference

ICS Cyber Security Conference

SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference is the largest and longest-running event series focused on industrial cybersecurity.

OnDefend

OnDefend

OnDefend delivers information security solutions that improve overall security posture, reduce risks and defend against continually evolving and persistent cyber adversaries.

Cyberport

Cyberport

Cyberport is focused on facilitating the growth of major technology trends such as FinTech and cybersecurity as well as the emerging technologies of AI, big data and blockchain.

Sabat Group

Sabat Group

Sabat Group provide relationship-driven information security & cyber security recruiting services.

QuSecure

QuSecure

QuSecure provides a software-driven security architecture that overlays your current infrastructure and provides next-generation security to protect your entire network from quantum threats.

Herzing College

Herzing College

Herzing College Ottawa offers an accelerated 12-month Cybersecurity Specialist training program. This program is developed by industry experts and based on leading IT security certifications.

Training.com.au

Training.com.au

Training.com.au is a comparison website through which those looking to learn about different aspects of cyber security can compare learning courses from training providers from across Australia.

SecurityLoophole

SecurityLoophole

SecurityLoophole is an independent cyber security news platform with global coverage. Latest updates, reports, news and events related to cyber security.

ARGOS Cloud Security

ARGOS Cloud Security

ARGOS aims to simplify and strengthen cloud security, by creating a visual map of security vulnerabilities, to your priceless information stored in any cloud provider environment.

5S Technologies

5S Technologies

5S Technologies is a regional IT solutions and services provider based in Cary, NC and serving the Carolinas.

Universal Technical Resource Services (UTRS)

Universal Technical Resource Services (UTRS)

UTRS is a technology firm that delivers a wide range of engineering, technical, strategic, and digital services to the public and private sectors.