Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber-Physical System

Cyber-Physical System

← Back to Glossary
By NHI Mgmt Group Updated July 10, 2026

A cyber-physical system combines software, networking, and physical processes that influence real-world operations. In security terms, compromise can affect availability, safety, and production continuity, which is why containment and resilience controls matter as much as detection.

Expanded Definition

A cyber-physical system, or CPS, is a tightly coupled environment where software logic, network communications, and physical processes interact in near real time. That coupling is what makes CPS security different from ordinary IT security: a compromised control path can change outputs, interrupt operations, or create unsafe physical conditions.

Definitions vary across sectors because CPS can describe industrial control systems, medical devices, smart infrastructure, robotics, and connected building systems. In security practice, the term is most useful when it highlights safety, availability, and deterministic behaviour rather than just confidentiality. NIST SP 800-53 Rev. 5 helps frame this through control families that address access control, system integrity, monitoring, contingency planning, and resilience, while CISA cyber threat advisories remain a practical source for current threat patterns affecting operational environments.

The most common misapplication is treating CPS as a normal IT asset class, which occurs when teams apply office-network assumptions to systems that depend on timing, safety interlocks, and physical state transitions.

Examples and Use Cases

Implementing cyber-physical system security rigorously often introduces operational constraints, requiring organisations to weigh uptime and safety against patching speed, network segmentation, and strict change control.

  • In a manufacturing plant, programmable logic controllers and supervisory systems coordinate production lines where a malicious command can halt output or damage equipment.
  • In a hospital, connected infusion pumps or monitoring devices can affect patient care if network paths, firmware, or configuration integrity are compromised.
  • In smart buildings, HVAC, access control, and fire systems interact with sensors and automation logic, creating cross-domain dependencies that need careful segmentation.
  • In transportation, signalling, braking, and telemetry systems require high assurance because a cyber incident can quickly become a physical safety event.
  • NHIMG’s analysis of The 52 NHI breaches Report shows how identity compromise often becomes the entry point for broader operational disruption, especially where machine identities and service credentials touch embedded systems. That risk is closely tied to the poor secret hygiene described in the Ultimate Guide to NHIs — Key Challenges and Risks.
  • For a standards lens, NIST SP 800-53 Rev. 5 supports this work through controls for monitoring, incident response, and system resilience in environments that must keep operating under fault conditions.

Why It Matters for Security Teams

Cyber-physical systems force security teams to think beyond alert volume and malware detection. A missed configuration change, a stale privileged credential, or a delayed recovery action can directly affect production continuity and physical safety. That is why CPS programs often combine segmentation, allowlisting, asset visibility, anomaly detection, and recovery testing rather than relying on perimeter security alone.

The identity layer matters more than many teams expect. NHIMG reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is highly relevant where engineering tools, remote maintenance channels, and orchestration systems touch physical assets. In CPS environments, those credentials can become the bridge from a routine access issue to an operational event. The Ultimate Guide to NHIs — Why NHI Security Matters Now and Top 10 NHI Issues both show why visibility and rotation are not optional in connected operational environments.

Organisations typically encounter the severity of CPS risk only after a process stops, a safety alarm triggers, or a device behaves unpredictably, at which point cyber-physical system containment becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.PT, DE.CM, RS.MICPS security centers on protective technology, monitoring, and response outcomes.
NIST SP 800-53 Rev 5AC, SI, CP, IR, SCControls map directly to access, integrity, contingency, response, and system protection needs.
NIST Zero Trust (SP 800-207)Zero trust is relevant where remote access and machine identities reach operational assets.
OWASP Non-Human Identity Top 10CPS environments often rely on service identities and secrets that need explicit governance.
NIST AI RMFRelevant where CPS incorporates AI-enabled autonomy or decision support.

Apply access control, integrity, recovery, and incident controls to keep operational systems safe and recoverable.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org