Perceived and real security threats affecting industrial infrastructures have been attracting considerable attention in the media due to their potential of having a significant impact on the availability/quality of vital services and goods. While the number of attacks on these infrastructures is increasing, some threats are over-exaggerated while some vulnerabilities are not sufficiently highlighted. The white paper might help readers with developing independent thinking and reasoning about the disruptive potential of cyber-physical attacks as well as current and future cyber-warfare topics. An example of civil responsibility is a German independent organization AG Kritis which was set up to urge policy makers on better critical infrastructure protection requirements.

In the past, security needs of OT environments were predominately addressed by on-site engineers. With the growing complexity of the computing part of the OT infrastructure and the requirement for its connectivity to the enterprise network, IT security specialists became (co-)responsible for the security of OT assets. While some of the OT security challenges are similar to those in the enterprise domain, there are many critical differences. The white paper provides essential background information on the OT network architectures, process and control engineering as well as essential aspects of what it takes to design and execute an attack on a cyber-physical system, aiding the readers with a better understanding of security risks in the OT domain.

Effective incident response in OT environments requires not only familiarity with the OT architectures and applications but also an understanding of the attacker's activities across the relevant attack lifecycle. Additionally, the investigation within the control systems zone requires close collaboration with process operators and engineers due to their familiarity with equipment, protocols, and possibly useful forensic artifacts. The white paper provides a breadth of relevant information to not only reason about potential attackers' actions but also to have a more effective dialog with the personnel on the shop floor. As part of the incident preparedness, the white paper offers a blueprint of a cyber-physical attack which can be used for designing table-top exercises and Red/Blue Team exercises.

For decades industrial control systems used to be segregated from untrustworthy environments such as enterprise networks, 3rd-party service providers, and the Internet. Most cyber incidents resulted either from accidental mistakes or random faults. With the evolutionary convergence of OT and IT networks, plant personnel increasingly began to interact with the IT and cyber security specialists. The white paper is useful as a quick reference for the standard representation of OT network architectures and security principles relevant to cyber-physical environments. The step-wise description of a cyber-physical attack design process is helpful for developing an attacker's mindset and facilitating more productive collaborations with cyber security specialists.  

 In contrast to IT security which can trace its roots back several decades, the discipline of CPS security is comparatively young, and the research community has not yet achieved the same clarity about relevant threats and best security practices. The white paper outlines a good amount of the CPS security and safety research questions which have not yet received any or sufficient attention. CPS security is an inter-disciplinary research area. Embedded systems security researchers may find inspiration for attack scenarios when weaponizing found vulnerabilities and assessing their criticality. Legal experts may assist with defining legally-bound forensic evidence for cyber insurance.