Know Thy KRIs: Four Takeaways from Gartner’s “Hype Cycle 2021” Report

Introduction – the challenges of CPS cybersecurity

Gartner last month published its  “2021 Hype Cycle for Cyber and IT Risk Management” report, which as always uses their branded “Hype Cycle” to illustrate how new and emerging technologies move from R&D to wide adoption.

The 2021 report sees cyber-physical systems (CPS) as an emerging field of innovation, and Radiflow was recognized as a leading vendor in CPS risk management category.

Much of the focus in the report is on the challenges of CPS cyber-security, which stem from the unique nature of industrial automation networks:

• Diverse component mix, often involving legacy assets which were never intended to go online
• Introduction of multiple entry points to a network as a result of the component mix, thus increasing the number of weak spots
• Linking between physical components and IT systems, resulting in a veritable maze of networked elements, with complex security requirements
• The differing needs of IT and OT security have become highlighted in recent years as the two converge and the need for a joint solution is becoming apparent

These factors, compounded by the current OT cyber-threat level, further underline the necessity of a solid risk-assessment system.

Using key status indicators as decision-making tools

As part of the risk assessment process, for quantifying the exposure to risk, Gartner mentions the use of KRIs (key risk indicators): metrics for the level of exposure to a current operational risk.

KRIs help monitor the overall risk exposure of a company and the specific risk of each operational unit. This enables decision makers to make decisions based on how much risk exposure they are willing to accept. However, from a security perspective, KRIs alone fail to give a complete picture as to the efficacy of the security system itself and is therefore an incomplete solution.

To overcome the problem of overdependence on KRIs, Gartner recommends the use of KCIs, key control (mitigation measure) indicators – how well each given control is meeting its intended objectives – in order to present a measurable assessment of the control systems, including any control failures.

Since KRIs constantly change, there is a corresponding need to constantly monitor and update the network security. Applying KCI metrics adds a focused approach to the risk-assessment process and allows for pinpointing specific weak spots and failures. More importantly, KCIs act as an early detection system for possible security threats, as changes will become apparent sooner than with the use of KRIs alone.

The combination of KRIs and KCIs (for risks and controls, respectively) allows developing key performance indicators (KPIs) that measure performance or the achievement of targets, as an overall a measure of how well the security system does its job.

In practice, each key risk indicator is assigned a data source and key control indicators, resulting in a comprehensive map of the OT network’s threats (using data pulled from threat intelligence and other sources) and vulnerabilities. The ability to automate the threat database update process is key to ensuring the system’s ability to “intercept” and account for upcoming threats, thus ensuring the continued operation of critical, high-stake industrial operations.

A structured, comprehensive ICS solution is the first step to securing OT systems

As the “Hype Cycle” report mentioned, CPS technology is becoming increasingly important as both the sheer number of networked devices worldwide and the sophistication of threats have dramatically increased in recent years. This does not even take into account the financial threat to companies with inadequate ICS security (consider the five million dollars paid by Colonial Pipeline as one example).

Gartner provides clear guidelines as to the steps and components of an optimal ICS system:

• Map all networked assets, including those which have become linked due to IT/OT convergence, as well as IoT, IIoT or smart “X” programs, using non-IT asset discovery platforms.
• Define the risk profiles for these systems and prioritize high-value assets.
• Identify current CPS security controls.
• Identify the gaps within the security system, prioritizing according to potential impact.
• Create a company-wide strategy for CPS risk management.

CPS cyber security and Radiflow’s CIARA Risk Assessment Platform

Just over a year ago, Radiflow launched CIARA, a ROI-driven risk assessment & management platform for industrial organizations.

CIARA uses a proprietary risk-assessment algorithm to calculate KRIs and KCIs, per business process, (based on user-determined target security levels for each) and for the entire OT network, toward continually optimizing the ROI for industrial network security expenditure.

By running network-wide attack simulations (non-intrusive, using mirrored network data streams) and inter-asset attack vector analyses, CIARA provides a comprehensive risk assessment report complete with a prioritized list of control (mitigation measures) that most effectively achieve the user’s security objectives, subject to the budgetary constraints.

Contact our sales team today to find out more about Radiflow CIARA and how our risk-assessment platform can improve your industrial cyber security, in line with Gartner’s recommendations.

If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.