The Resilience of Infrastructure Depends on CPS

Source Gartner – Document “Developing a CPS Security Policy Framework Based on Seven Domains”Fonte Gartner
Article based on data from the Gartner document “Developing a CPS Security Policy Framework Based on Seven Domains”Fonte Gartner
Cyber-physical systems (CPS) represent the evolution of IT and OT infrastructures: environments where sensors, networks, algorithms, and physical devices interact in real time to govern critical processes. They are present everywhere — from factories to hospitals, ports, and power plants — embodying the fusion of digital and physical technologies that underpin the most vital processes.
For years, cybersecurity has been described as an invisible war, waged with malicious code, silent intrusions, and ransomware locking files and servers.
A conflict confined to the digital perimeter. Today, however, that war has forcefully shifted into a new domain — not virtual but physical. Unlike IT systems, in CPS environments it is operational continuity — not just data protection — that becomes the overriding priority.
Why IT and OT Speak Different Languages
While IT focuses on the confidentiality, integrity, and availability of data, CPS place emphasis on the safety, availability, and reliability of physical processes.
In the IT world, the conversation revolves around data, privacy, and compliance. In the OT world, it is about machinery, continuity, and operational safety.
The main challenge stems from the fact that CPS sit at the crossroads of two universes that have traditionally spoken different languages. Today, however, separation is no longer possible.
An attack travelling through an IT network can shut down an industrial machine. A vulnerability in an OT system can open the door to large-scale digital compromise.
Believing that a single cybersecurity policy can protect both domains is a mistake.
The reality? Dedicated, distinct policies are needed: IT and OT must be protected differently, but they must also work together.
The Right Standards to Follow (Spoiler: Only Two)
There is no shortage of frameworks, but according to Gartner, only two are truly essential:
- IEC 62443 → Designed for industrial automation, it sets out precise rules and security levels. Structured into fundamental requirements (FR) and security levels (SL), it defines roles, responsibilities, and obligations for vendors, integrators, and asset owners.
- NIST SP 800-82 → More governance and risk management-oriented, especially useful for managing complex, distributed environments. Focused on governance, it promotes an adaptive, risk-based approach, integrated with the NIST SP 800-53 framework.
These two standards are not mutually exclusive; they complement each other.
IEC 62443 is more prescriptive on the technical-industrial side, while NIST SP 800-82 helps structure the organisational and strategic context.
The advice? Take the best from both and build your own strategy on top.
The 7-Domain Framework: A Comprehensive Approach
To build an effective security strategy for CPS, Gartner identifies seven fundamental domains that serve not simply as a checklist of best practices, but as a genuine map of resilience.
Governance, asset management, access control, network security, monitoring, system integrity, and compliance: each of these elements represents a potential weak point. Neglect even one, and overall protection is weakened.
Without an up-to-date inventory, you don’t even know what you are defending. Without an incident response plan, a containable attack becomes a real disaster. Without MFA on remote access, the front door is already open.
When Theory Meets Practice
Theory must be matched by practice. This is where Agger comes in: the Italian platform developed by Gyala that integrates Gartner’s seven domains into a single, modular, and automated solution.
The difference compared to many existing solutions is crucial: Agger doesn’t just observe or alert, it decides and reacts, reducing containment time to zero, even without connectivity. It is the tangible translation of the concept of active resilience: not just defending, but ensuring continuity even when everything seems to threaten disruption.
Agger is designed to operate in IT, OT, and IoT environments — even under extreme or isolated conditions, such as:
- Mission-critical environments (defence, energy, healthcare)
- Segregated networks
- Legacy systems (Windows XP, Unix, embedded systems)
Agger’s capabilities align point by point with the framework:
- Governance: full centralisation and traceability
- Asset Management: automatic discovery of assets, including agentless OT
- Access Control: granular policies for every agent
- Network Security: Layer 7 analysis, advanced detection, OT protocol decoding
- Monitoring: integrated SIEM, behavioural AI, zero-second incident response
- System Integrity: snapshots, advanced logging, change monitoring
- Compliance: mapping to NIS2, DORA, IEC 62443, ACN, MITRE
Resilience Cannot Be Improvised
It is no longer just about protecting data or ensuring compliance, but about defending the very continuity of the organisation — its ability to deliver services and maintain vital processes.
This is a strategic shift before it is a technological one.