Shifting supply chains and rules test CPS security strategies
Cyber-physical systems are getting harder to protect as the business landscape keeps shifting. Economic pressures, supply chain changes, and new regulations are creating more openings for attackers while complicating how organizations manage security. A new report from Claroty, based on a survey of 1,100 security professionals, shows how these forces are raising the stakes for CPS protection and forcing CISOs to rethink their strategies.
The study focused on mission-critical environments such as industrial operations, connected medical devices, and building management systems. It found that external factors like supply chain instability and new compliance requirements are creating significant challenges for organizations trying to secure CPS environments.
Supply chain changes heighten third-party risks
Nearly half of respondents said that changes to global supply chains are increasing cyber risk within their organizations. Many businesses are reconsidering where they source technology, with 67 percent saying they are rethinking their supply chain geography in response to economic and geopolitical uncertainty.
This shift has a direct impact on third-party access risk. As companies bring in new suppliers and tools, attackers have more opportunities to exploit weak points. The report found that 46 percent of organizations experienced a breach in the past year tied to third-party vendor access. In many cases, these breaches involved malware or ransomware introduced through compromised supplier accounts.
The survey also showed that most organizations are taking action. Nearly three-quarters of respondents are currently re-evaluating third-party remote access to CPS environments. Risk reduction, cost savings, and lack of visibility into vendor activity were the top reasons for these reviews.
Compliance programs face disruption
Emerging regulations are another source of uncertainty. Most organizations currently align their CPS security programs with frameworks such as the NIST Cybersecurity Framework or ENISA guidelines in Europe. Sixty-nine percent of respondents said their strategies closely follow international and local standards.
However, 76 percent believe upcoming regulations will require them to overhaul their current security strategies. In the United States, potential changes to federal cybersecurity mandates could roll back or alter existing rules. In Europe, deadlines for the Cyber Resilience Act and NIS2 are approaching, which will require updates to compliance programs.
The survey found that federal, international, and industry-specific regulations are the primary drivers of CPS compliance initiatives. Internal risk assessments are a lower priority for most organizations, which means regulatory changes could have a direct and disruptive effect on how companies manage security.
Visibility and risk reduction remain difficult
The researchers also asked about the operational impacts of instability. Forty-five percent of respondents said they are concerned about their ability to reduce cyber risk to key CPS assets and processes. A similar number said they struggle to understand their organization’s risk exposure.
Other common challenges include meeting regulatory mandates, managing third-party access risks, and maintaining accurate inventories of connected assets. These issues reflect the complexity of CPS environments, where operational technology, IoT devices, and other systems are deeply interconnected.
AI emerges as a key security tool
AI is becoming an important part of CPS security strategies. Ninety-three percent of respondents said AI capabilities are at least somewhat of a requirement for their CPS protection tools. Organizations are looking to AI to improve threat detection and response times, especially in identifying anomalies and zero-day vulnerabilities.
By automating tasks such as log analysis and incident response, AI can help smaller teams manage complex environments. This is particularly valuable as companies battle with limited security resources.