Written by Merrick Spain
Head of Operational Technology | Entag
In an increasingly interconnected world, the lines between cyber and physical security have blurred significantly. Cyber security focuses on protecting digital assets, networks, and data from unauthorised access or attacks, while physical security safeguards people and tangible property, assets and infrastructure. However, their interdependence, often referred to as cyber-physical, convergence, means that vulnerabilities in one domain can directly impact the other, leading to cascading risks. For instance, a cyber breach can manipulate physical systems, causing real-world harm, or physical access can enable cyber intrusions.
Recent research highlights a growing correlation between physical and cyber security breaches, especially as threat actors increasingly exploit vulnerabilities across both domains. A 2024 survey of over 1,000 cybersecurity professionals found that 45% experienced losses of $500,000 or more due to cyberattacks affecting physical systems. 27% reported losses exceeding $1 million, underscoring the tangible consequences of this convergence.
Critical infrastructure sectors, like finance, energy, and healthcare, are particularly vulnerable due to their expansive attack surfaces but breaches that illustrate cyber-physical convergence are becoming more common across all industries. One of the earliest and most infamous cases is the 2010 Stuxnet Work attack on Iran’s nuclear program, which required physical access to the facility’s air-gapped systems allowing the introduction of a worm via infected USB drives. In late 2013, retail giant Target suffered a massive data breach affecting over 40 million customers’ credit and debit card information. Hackers gained entry by stealing credentials from a third-party HVAC with physical access to facilities. Russian-linked hackers targeted Ukraine’s power grid in 2015, causing outages for hundreds of thousands of people when the attackers exploited weak physical access controls to enter substations. A high-roller casino in North America was breached in 2017 when hackers exploited an internet-connected thermometer in a lobby fish tank, and in 2021 hackers remotely accessed the supervisory control and data acquisition (SCADA) system of the Oldsmar water treatment plant in Florida USA and attempted to raise sodium hydroxide levels in the water supply to toxic amounts. These scenarios reveal a common theme: attackers often leverage physical access or devices to launch cyber operations, or vice versa, amplifying the impact across domains.
There are several implications for organisations. Addressing cyber-physical convergence requires organisations to ideally adopt a formal and holistic, integrated Security Strategy rather than informal fragmented approaches. Conducting comprehensive Risk Assessments is a good starting point.
Frameworks such as ISO27001 can be helpful in providing a baseline for both cyber and physical security. IEC 62443 is also recommended for use in operational technology (OT) environments.
The organisational strategy must support Integrated Risk Management that includes physical, personnel, and information security layers. Organisations have traditionally separated their physical and cyber security teams which will lead to gaps in protection. Experts recommend a unified approach to mitigate risks and respond effectively to incidents that span both domains.
Cross-training and collaboration both within and between physical and cyber teams will support an appropriate cultural posture that can help identify and respond to hybrid threats more effectively because of a culture of security where IT and physical security teams collaborate closely. Employee Training and Awareness is also recommended to extend the focus on converged cyber-physical threats throughout the organisation.
Systems for Monitoring and analytics with modern architectures should cover both digital and physical access points to detect anomalies that may indicate coordinated attacks. This provides a Layered Security Approach which combines physical measures with cyber defences. Incident response plans that address hybrid threats should be developed, including simulations of cyber-physical attacks. Other technical measures such as implementing network segmentation and isolation and ensuring regular updates and secure configurations are critical.
By implementing these approaches, organisations can reduce the risks posed by cyber-physical convergence and build resilience against evolving threats. Organisations that treat these domains in isolation invite exploitation, while those adopting integrated approaches can better protect their assets, operations, and people.
