The concept of a public good has long recognized in philosophy and economics. Famous thinkers from Aristotle to John Rawls have all argued that goods which sustain individual and societal welfare must be collectively protected.
Traditionally, a public good is defined as non-excludable, meaning no one can be denied access, and non-rivalrous, where one person’s use does not diminish another’s. This traditionally includes clean air, safe drinking water, and public safety.
General Manager, EMEA, Claroty.
Examples such as HVAC systems in libraries and building management systems in schools are all unseen technologies which form an invisible layer of civic infrastructure.
When governed well, they quietly enable continuity and safety. However, when compromised, they can undermine the very public goods they are meant to protect.
If CPS are now part of the public good, governments must govern them with the same diligence as water, health, or safety. This requires moving towards building frameworks that treat CPS risk as a societal concern, not just a technical one.
How does the threat landscape really affect people’s lives?
Public conversation about cyberattacks far too often reduces them to terms of financial losses. Of course, the numbers do matter - Claroty found that 45 percent of critical infrastructure professionals reported financial impacts of at least half a million dollars from CPS-related attacks. But for the public, the deeper issue isn’t financial, it’s societal and human.
When CPS disruptions impact critical national infrastructure, communities lose much more than money. Attacks on power grids can deny entire populations access to electricity or clean water. If a transport system goes down, there’s an increased risk of catastrophic accidents.
In healthcare, attacks could lead to delayed access to care and lives quite literally placed in jeopardy. Look at the 2024 Change Healthcare cyberattack; it disrupted countless hospitals across the US and showed just how easily CNI attacks can shake society to its core.
These social impacts are not felt evenly, and research from the University of Tennessee has shown that the most vulnerable members of society are the ones who suffer the most.
People living in disadvantaged areas are often exposed to multiple risks at once and have fewer resources to cope with disruption. This makes the responsibility on local governments even more important.
What does it take to move from reactive fixes to proactive resilience?
The key is governance. Strong governance transforms passive detection into actionable protection. This demands security to be framed as a matter of leadership rather than an afterthought left with IT management teams.
A central part of effective governance is conducting due diligence. Organizations must be able to identify any weaknesses or oversights and understand risks in order to reduce them to manageable levels.
This kind of ongoing assessment makes it possible to share risk information with decision makers and ensures policies are based on reality rather than assumptions. Approaches such as Zero Trust, which continuously verify access can help maintain control in environments where speed and precision are essential.
The core to resilience is really down to visibility. There’s no excuse to struggle to answer basic questions such as “what assets do we own?” or “how exposed are they?” Without answers, governance cannot mature. Resilience requires continuous discovery of assets and risk information so that CPS protection is shared rather than trapped in silos.
Cooling centers are one emerging example. As global temperatures rise, these are becoming vital public services. Delivering them responsibly means designing and governing them in a way that accounts for human impact and embeds resilience from the start. Only then can their availability, and the public good they represent, be reliably assured.
What blind spots are most dangerous in CPS today?
A challenge for security is the complexity of modern IT infrastructure. Organizations must manage both IT and OT environments. Many operational devices were never designed with cybersecurity in mind yet are increasingly connected to the internet and exposed.
Traditional internet security tools cannot handle this complexity. OT devices often rely on proprietary protocols or specialized operating systems which make them attractive targets for ransomware and other attacks.
The only realistic solution is CPS-specific cybersecurity. That begins with visibility to know exactly what devices are connected to what networks. Asset management software can build a complete inventory so that no device is overlooked. Once this is in place, strategies such as exposure management and secure access can be applied in ways that reflect the unique challenges of CPS environments.
How can local leaders turn CPS security into public trust?
For leaders, treating CPS governance as a public good allows them to safeguard not just systems but also community confidence. Citizens rightly expect governments to ensure clean water, reliable healthcare, and public safety. Increasingly, they will expect the same for the digital systems that sustain daily life.
That means treating CPS as part of the service lifecycle. It also means ensuring protection is not siloed but shared across agencies so that there’s accountability in every layer of governance.
In an era of global unrest, this becomes even more urgent. State-backed adversaries are targeting CPS not only for financial reasons but also to disrupt public order. That makes early detection and real-time situational awareness essential.
When leaders are transparent about these efforts, they send a clear signal that essential services are being defended with the same care and responsibility as other public goods.
Why must CPS governance be treated as essential?
Cyber-physical systems are no longer invisible or secondary. They are public goods that are directly tied to the wellbeing of society. Disruption not only erodes trust but also deepens inequality and threatens safety.
State and local governments for all nations have both the responsibility and the opportunity to lead the way. By embedding governance, visibility, and CPS-specific resilience into the management of CNI, they can protect not only operations but also the trust and stability of the communities they serve.
Check out our feature on the best software asset management (SAM) tools.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.