A high speed train abruptly stops short on the tracks. Several hospitals begin to experience a rise in mortality rates. Both are the result of a cyber attack with serious implications in the physical world.
The latter is merely one example of how cyber attacks have affected hospitals. This is largely due to how connected they are to the digital world (e.g., medical devices), according to a report on the effect of IoT devices on the healthcare industry.
Given such ramifications, the spotlight placed on this convergence of cyber and physical threats—whereby risks that emanate in the digital domain become real and significant threats in the physical domain—is growing wider, shining brighter and spurring government and regulatory action.
Learn More: What Is Cyber-physical Security Convergence
The convergence of cyber-physical risks will only increase as our world becomes more connected than we could ever imagine. Governments and regulators recognize the potential harm and have taken action.
For example, in December 2022, the European Commission issued the NIS2 Directive to strengthen both the cyber and physical resilience of EU critical entities and networks. In March, the U.S. White House announced the launch of a working group dedicated to cyber-physical resilience. It noted that, “we are creating an increasingly fragile society where the overall [cyber-physical] systems we rely on can become ever more brittle.”
That’s not to say we’re headed for a global catastrophe. But, it is a reminder of how far-reaching cyber-physical risks are and the ripple effects they have on critical infrastructure and systems—and our everyday lives.
Nonetheless, many organizations still operate their cyber and physical security teams as distinct, standalone disciplines with little to no collaboration on managing risks. This is no longer tenable and calls for all organizations to ensure both their cyber and physical security teams have a formal means and standard of collaboration.
The result, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is cyber and physical security functions that are more resilient and better prepared to identify, prevent, mitigate and respond to cyber-physical threats.
Traditionally, organizations have kept their physical and cyber security operations independent of one another. That’s partly due to the relative age of each practice. Physical security has a long history, while cybersecurity is comparatively new.
But thanks to the increased use of IoT and IIoT devices, the number of systems moving to the cloud, and the proliferation of social media and smart devices, the need for security convergence across industries is greater than ever.
Some examples of cyber-physical risks are more evident, such as the May 2021 ransomware attack on the Irish healthcare system. It led to a systemwide IT shut down that created a real and imminent threat to patients. Or the well-known and oft-referenced attack on a Florida water treatment plant that threatened to poison a city’s water supply with dangerous levels of lye.
Other examples are not as readily apparent, yet still pose significant risks. For instance, the recent rise in the number of attacks on Internet-connected industry control systems (ICS), especially those that run critical infrastructure—from oil companies and gas plants to airlines and traffic light systems. In some cases, hackers exploit security gaps in access controls to facilities, allowing them to install malware that compromises an organization’s entire network. Remote access software used to control ICS and heating, ventilation and air conditioning systems are also common entry points for attacks that affect both the cyber and physical domains.
Some experts warn that having siloed teams opens businesses up to operational blind spots and a weaker security posture. For instance, when a new threat emerges, oftentimes security practitioners focus only on their area of responsibility with little knowledge of what is happening on the other side of the house—preventing both cyber and physical security teams from having a holistic view of the potential threats.
The solution for many organizations is to merge their cyber and physical security teams into a single function that detects and responds to all risks, no matter the domain in which they originate. However, that’s not the only viable fix.
A significant amount of cyber and physical security leaders have found ways to collaborate without merging their teams. When done right, the teams find measurable success. Take for instance Bank of America.
During one of our webinars on cyber-physical trends and threats, Craig Froelich, Chief Information Security Officer (CISO) at Bank of America, explained how it works at his company.
“We're separate organizations, but we're fully integrated. The team that is responsible for cyber sits shoulder to shoulder with the team that's responsible for physical,” said Froelich. “We use similar processes, we use similar call trees. We are as integrated as an organization as you can imagine.”
Keep in mind that marrying the expertise of cyber and physical security leaders and teams can be challenging. Often, there is a cultural and skills divide between the two, which leads them to look at the world very differently. Those differences can result in poor communication and sometimes outright miscommunication, two of the biggest problems facing organizations that have yet to develop strong processes to drive collaboration across these two critical teams.
There are also logistical barriers to consider, as well as a lack of understanding at the senior leadership level as to why security convergence is no longer a nice-to-have—but a business imperative.
There are many benefits to having cyber and physical security teams work in close partnership:
While each organization will manage and respond to the increasing convergence of cyber and physical and risks differently, real-time information is at the heart of their ability to do so. Organizations need to ensure all security teams have equal access to real-time data on emerging and potential risks—regardless of where or how the threat begins—and create a clear process for when and how to communicate that information and which stakeholders should receive it. As such, being able to detect these cyber-physical events and risks as early as possible and as they unfold is critically important.
The cyber and physical worlds have been converging for years, but it’s only now that the ways in which the lines between the two blur have become much more visible and understood.
Learn how organizations like yours can stay ahead of and effectively mitigate cyber-physical risks with Dataminr Pulse for Cyber Risk.
This blog has been updated from the original, published on November 15, 2021, to reflect new events, conditions or research.
Shimon Modi is VP of Product Management at Dataminr, where he leads product strategy for cyber and partnerships. Shimon has over 10 years experience bringing cybersecurity solutions to market for companies like Accenture, TruSTAR (acquired by Splunk) and Elastic.