Federal agencies made notable gains in cyber-physical system (CPS) security over the past year, but major risks remain, according to new research from MeriTalk and Claroty.
The new study, “Guardians of Government, Vol. 2: Fortifying the cyber-physical frontier,” reveals that many agencies still have gaps in CPS expertise and less than half have achieved full asset visibility.
One hundred percent of federal agencies have launched new CPS security initiatives in the past year, conversations with 100 federal civilian and defense operational technology (OT)/CPS security leaders revealed.
More than 85% of federal OT/CPS leaders are focusing on governance, traditional OT, and Internet of Things (IoT) security. However, 68% of officials said they are bracing for a disruptive attack in the next year.
While agencies are investing in threat detection and network visibility, the report noted that only 36% have achieved full asset visibility and 45% have fully implemented secure remote access, which rose from 30% year-over-year.
“Persistent budget shortfalls, skills shortages, and structural inefficiencies continue to undercut OT and CPS defenses, leaving agencies vulnerable,” reads the report, with 61% of officials citing budget limitations impacting CPS security improvement and 62% citing a lack of in-house OT/CPS expertise.
Agencies have stepped up vulnerability assessments, the report explained, but many still are highly exposed, with emerging technologies – such as artificial intelligence and machine learning systems – expanding the attack surface despite a 10% increase in continuous vulnerability assessments.
“While many assess vulnerabilities regularly, only one-third do so continuously – leaving long windows for attackers to exploit potentially even Known Exploited Vulnerabilities,” the report says.
Agencies that avoided incidents were more likely to have dedicated CPS experts, limit unpatchable legacy systems to less than a quarter of their environment, invest in stronger access controls, and fully deploy network protections and threat detection, the report found.
Many agency leaders – 87% of Pentagon leaders and 33% of civilian leaders – said they’ve also increased the number of air-gapped systems in their OT or CPS environments this year, while 85% have said they have a dedicated OT cybersecurity strategy, with the report saying that “federal leaders are laying the groundwork for stronger, more adaptable OT and CPS security.”
Moving forward, the report said that agencies should establish foundational visibility, address assessment frequency, fortify internal defenses, and isolate unpatchable risk to defend their systems.
“The cyber-physical threat landscape is evolving faster than many agencies can adapt,” said Heather Young, regional vice president for Claroty, U.S. Federal. “Agencies that build around smart segmentation, continuous monitoring, and deep visibility are not only better positioned to defend themselves – they’re better equipped to sustain mission delivery in the face of disruption.”
For more insights, check out the full report.