CPS offers incredible benefits. "But with great power comes great responsibility," says John Gallagher, CEO, Viakoo, "and increasingly, significant risk. As these systems become more complex and interconnected, the potential fallout from a security breach becomes ever more daunting." Here, he urges the physical security industry to take note, as he discusses how to navigate the different approaches that countries are taking to meet these challenges, and the rules and regulations that have been, or are being introduced, to help combat them.

Recognising the issues, governments across the globe are stepping up, implementing new standards and regulations to bolster the security of these vital systems. It’s not just about ticking boxes; it’s a fundamental shift towards building a more secure digital future. Here we can take a look at the evolving landscape in the US, UK, and Europe.

The US approach

In the United States, the conversation around CPS security is gaining momentum. While not solely focused on CPS, the updated NIST Cybersecurity Framework (CSF) 2.0 provides a crucial foundation. It introduces a new emphasis on cyber security governance and strengthens guidance on managing supply chain risks – both critical elements for interconnected CPS environments. NIST also offers specific guidance for IoT security (like NISTIR 8425), which supports initiatives like the US Cyber Trust Mark. Although this voluntary labeling program currently targets consumer IoT devices, it reflects a growing awareness that even seemingly simple connected gadgets within an organization can pose risks.

Setting standards in the UK

The United Kingdom has taken a direct approach with the Product Security and Telecommunications Infrastructure (PSTI) Act, which is now actively enforced. This legislation places clear baseline security requirements on manufacturers selling consumer connectable products in the UK. Key mandates include banning easy-to-guess universal default passwords, establishing clear channels for vulnerability reporting, and ensuring transparency about the duration of security updates. It’s a clear signal that basic security hygiene is no longer optional.

Europe’s comprehensive vision: The CRA

Perhaps one of the most significant developments is the European Union’s Cyber Resilience Act (CRA). Entering into force in late 2024 with major obligations starting in late 2027, the CRA imposes mandatory cyber security requirements across the entire lifecycle of hardware and software products with digital components. This broadly impacts countless IoT and CPS devices sold within the EU, placing the onus firmly on manufacturers to embed security from design through development and ongoing maintenance. While certain sectors with existing robust rules (like medical devices or aviation) might have specific exclusions, the CRA represents a major step towards harmonised, high security standards across the bloc. Alongside the CRA, the EU Agency for Cybersecurity (ENISA) continues to provide vital guidance on best practices, risk assessment, and incident response relevant to CPS.

More than rules: A global shift towards best practice

John Gallagher believes that these varied initiatives act as a signal indicating a clear global trend: securing CPS is paramount. "While the specifics differ, the core principles resonate – banning default passwords, managing vulnerabilities, ensuring updates, and embedding security throughout the product lifecycle," says John Gallagher.

"Organisations worldwide are taking note, not just because they might fall under a specific jurisdiction, but because these regulations highlight what constitutes responsible, proactive security. Ultimately, these frameworks are more than legal hurdles; they represent essential best practices. Adopting them isn’t just about compliance – it’s about safeguarding operations, protecting users, and mitigating the potentially devastating consequences of a CPS cyber attack. As we become ever more reliant on these interconnected systems, embracing a security-first mindset is no longer just advisable, it’s imperative, concludes Gallagher.