Past malware attacks, such as Stuxnet, which is believed to have been the work of the NSA, have demonstrated that malware can create real-world damage, not just scramble data. And cyberattacks have long had real-world implications, such as the ransomware attacks on organizations like Colonial Pipeline and hospitals in the US and Europe. The UK’s NHS struggled for days after the 2017 WannaCry ransomware attack, which was blamed on North Korean state-sponsored hackers. Gartner reckons that by 2025, hackers will have weaponized operational technology (OT) environments to “successfully harm or kill humans”. SEE: Network security policy (TechRepublic Premium) By OT, Gartner means “hardware and software that monitors or controls equipment, assets and processes.” It also refers to cyber-physical attacks (CPS): examples of these might be attacks on electronic medical equipment or physical infrastructure. “In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft,” said Wam Voster, a senior research director at Gartner. More worryingly, Voster went on: “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.” Gartner breaks down OT and cyber-physical threats into three categories: actual harm; commercial vandalism, which reduces output; and vandalism against an organization’s reputation, which renders a manufacturer unreliable and untrustworthy. Gartner expects that the financial impact of CPS attacks that kill or injure people will top $50 billion by 2023. The costs to organizations will be significant and include compensation, litigation, insurance, regulatory fines and reputation loss, Gartner says. However, it should be noted that this figure is small compared to overall global spending on IT, which Gartner expects to reach $4.2 trillion in 2021. SEE: Fewer troops, but more tech: Military downsizes as it shifts to AI, drones and cyber Fortunately, Gartner does have some practical advice for organizations that control operational technology, such as appointing an OT security manager for each facility, security training and awareness for staff, and testing incident response capabilities. Given the perennial threat of ransomware, the analyst also urges organizations to implement adequate backup, restore, and disaster recovery capabilities. It also recommends managing portable media, such as USB sticks, that might be connected to OT systems: “Only media found to be free from malicious code or software can be connected to the OT,” it says. Companies need to have a current inventory of IT and OT assets; real-time logs and detection capabilities; secure configurations; and a formal patching process.