Cyber-Physical Security: Protect Your Business from New Threats

Cyberthreats are rapidly evolving, extending far beyond traditional phishing scams and credential theft. These growing threats could cost businesses around the world $15.63 trillion by 2029. Among the most pressing risks today is the emergence of cyber-physical threats.

Cyber-physical threats involve vulnerabilities that arise from the integration of digital systems, such as networks and software, with physical infrastructure, including machinery, security systems, data centers, and building control systems. Attacks are carried out by compromising either a digital or physical system and impacting the other in the process. This can involve:

• Gaining access to digital systems to manipulate, disrupt, or damage physical devices and infrastructure.

• Infiltrating physical infrastructure to steal, disrupt, or damage critical systems or sensitive data.

Like traditional cyberattacks, cyber-physical attacks can have devastating consequences for businesses. However, these attacks don’t just compromise sensitive data; they also put physical infrastructure and employee safety at risk. 

“When we think about security today, it’s clear that digital and physical protection are no longer distinctly separate worlds — they’re completely connected,” said Andy Biladeau, chief transformation officer at SHRM. Traditionally, physical security focused on protecting people and facilities, while cybersecurity safeguarded data and networks. However, the growing connectivity of physical infrastructures has blurred the lines between these two areas.

As businesses embrace digital transformation, interconnected devices such as internet-of-things (IoT) systems are becoming more prevalent. These networks of everyday devices, like sensors, security cameras, and heating or cooling systems, collect and share data over the internet for remote control and real-time monitoring. While these systems enhance efficiency and automate tasks, they can also become access points for cybercriminals. With more interconnected devices, businesses face an increased risk of breaches to both digital and physical systems, making cyber-physical attacks a critical threat.

As cybercriminals adopt new tactics and threats continue to evolve, security strategies must advance to overcome them. To safeguard both digital and physical assets, organizations must adopt an integrated approach to security that aligns cyber and physical strategies. By bridging this gap, businesses can strengthen resilience, ensure continuity, and enhance safety in the face of ever-evolving threats. 

Evolving Cyber-Physical Attacks

Cyberattacks have evolved far beyond data breaches. Modern cyber-physical attacks can take control of IoT systems, disrupt supply chains, and sabotage essential infrastructure, creating far-reaching consequences for organizations. 

Failure to secure critical systems can lead to: 

• Operational disruptions: Cyber-physical attacks can shut down essential interconnected systems, leading to costly downtime and lost productivity.

• Reputational damage: Customers, investors, and partners may lose trust in your business if you fail to protect sensitive data and systems.

• Regulatory and legal liabilities: Security failures can lead to lawsuits, compliance violations, and hefty regulatory fines.

• Employee safety risks: Cyber-physical attacks on building security or industrial controls can endanger employees and expose businesses to liability.

• Financial burdens: The exorbitant costs of recovery efforts, legal fees, regulatory penalties, and potential ransom payments can overwhelm businesses.

Cyber-physical attacks can disrupt operations and business continuity by undermining physical devices and infrastructure. These breaches may include denial-of-service (DoS) attacks, where hackers overwhelm devices with traffic to render them unusable. This was the case in recent cyberattacks linked to China that compromised thousands of internet-connected devices, including routers and IoT devices.  

However, cyber-physical attacks can also lead to far more dangerous consequences that involve human safety. In 2020, a ransomware attack targeted a German hospital, taking down critical IT systems. This forced the facility to divert emergency patients, resulting in treatment delays that tragically contributed to a woman’s death.  

Last year, the U.S. sanctioned a Chinese cybersecurity company after one of its employees deployed malicious software that compromised roughly 81,000 firewalls at global organizations in 2020. Thirty-six of those firewalls were at U.S. critical infrastructure companies, including an energy company actively engaged in a drilling operation. The U.S. Treasury Department condemned the attack as a direct threat to human life, noting that if the attack hadn’t been stopped, it could have caused oil rigs to malfunction, putting workers’ lives at serious risk.

Businesses also face an increased risk of cybercriminals infiltrating partners, service providers, or third-party vendors to compromise factories, logistics networks, and entire business operations.

In 2021, the DarkSide hacker group launched a ransomware cyberattack on Colonial Pipeline, the largest fuel pipeline operator in the U.S. To prevent the ransomware from spreading to operational systems, Colonial Pipeline was forced to shut down operations, leading the U.S. government to declare a state of emergency due to widespread fuel shortages up and down the East Coast.

Emerging Threat: Office Breaches

Theresa Payton, CEO of cybersecurity company Fortalice Solutions and former White House CIO, warns of emerging threats involving employees and company buildings.  
 
Payton predicts that cybercriminals may begin to digitally attack office spaces and trap workers for ransom. “If you have any buildings that are smart buildings that have lots of internet-of-things devices installed, my prediction is by the end of 2025, ransomware syndicates are going to move to buildings,” she said on SHRM’s Tomorrowist podcast. “[They could] lock people in and hold them for ransom, and not let them out until you pay the ransom.”

Conversely, cybercriminals may take the reverse approach — infiltrating office spaces to access secure digital systems. One common tactic is a malicious USB drop — leaving an infected USB drive in an office or parking lot, hoping someone will plug it in. This seemingly harmless action can trigger severe consequences, from data breaches to complete system shutdowns.

A striking example of this tactic was the Stuxnet computer worm, which famously disrupted Iran’s nuclear program. By infecting industrial control systems via a USB drive, Stuxnet caused centrifuges to malfunction, effectively sabotaging uranium enrichment processes and setting back Iran’s nuclear capabilities.

Siloed Security Increases Risk

As companies embrace digital transformation and more advanced, interconnected technologies, risks grow and only become more complex. Maintaining separate cyber and physical security initiatives may lead to gaps in threat detection and slower responses to active, interconnected threats. Despite robust physical security measures, having inadequate cybersecurity protections may undermine efforts, and vice versa. For example, with the rise of smart buildings and IoT systems, physical security devices are often network-connected but lack proper cybersecurity protections, making businesses more vulnerable to attacks.

An Integrated Approach to Cyber and Physical Security

To keep pace with today’s rapidly evolving threats and successfully adapt to digital transformation, businesses should integrate cybersecurity and physical security measures, Biladeau said. 

“Security strategies are the left and right boundaries of any digital strategy. Whether apps or infrastructure, IT policies need to be woven into IT operations workflows to be effective,” he said. 

A comprehensive approach that merges robust physical security with advanced cybersecurity measures ensures all vulnerabilities and entry points are effectively safeguarded. By adopting this strategy, organizations can identify weaknesses, mitigate risks, and empower their teams to respond proactively to potential breaches. 

Tactical Steps for Integrating Security Strategies

1. Establish a Cross-Functional Security Team

To stay ahead of evolving threats, businesses should form cross-functional security teams that integrate IT, operations, and physical security. These teams should regularly conduct risk assessments to identify system vulnerabilities, access controls, and emerging security trends. This includes taking a step back and asking, “What systems are we relying on, and how might they be creating loopholes we didn’t intend?” Biladeau said. “It’s a reflective process — one that pushes us to uncover those hidden ‘back doors’ that could be working against the outcomes we’re striving for.”

Today, physical security measures, such as access controls and badging, are closely linked to IT systems and operations. By aligning teams and strategies, and proactively implementing measures to protect systems, businesses can ensure seamless protection with no gaps in threat detection. 

2. Build a Culture of Security Awareness 

Security awareness and education are essential for maintaining strong security. Holding monthly or quarterly training sessions helps employees stay aware of evolving threats and change their behaviors to reduce risk. Consistent phishing campaigns allow businesses to test employees, track results, and improve their skills and responses. Practical drills and hands-on training can help employees feel confident in how to respond in an emergency.

Beyond training, building a strong culture of security is just as crucial. Businesses should educate employees on the importance of practices such as always wearing their badges and using two-factor authentication. Create an environment where employees feel empowered to promptly report any security concerns without hesitation. By fostering a proactive mindset, organizations can strengthen security, reduce risks, and build a workplace where everyone takes responsibility for safety.

3. Create a Crisis Management Plan

“On the security side, imposters will get better and better at accessing our systems. This means that that we must be prepared to respond effectively when attacks inevitably happen,” Biladeau said. Crisis management teams are becoming increasingly important as organizations face growing security threats. These teams should evaluate potential crises, assess their likelihood, and establish clear response plans.

Strong communication and coordination are key to responding quickly and effectively when a crisis occurs. A call tree system should be in place to determine who to alert in an emergency. If necessary, organizations must be able to shut down system access, restrict building entry, and disable employee badges to prevent further risk.

At the director level, crisis management training is essential. Many security incidents involve insiders such as current or former employees, making it crucial to recognize warning signs and support individuals who may pose a risk. Leaders should develop evacuation plans, identify potential threats, and align teams with security expectations to strengthen organizational preparedness and resilience.

Building Resilient Organizations Through Comprehensive Security Strategies

In an increasingly interconnected world, the line between cyber and physical security has all but disappeared. As businesses continue to adopt IoT systems and advanced technologies, they are not only enhancing operations, but also expanding vulnerabilities in ways that traditional, siloed security strategies can no longer protect against.

The threat is real and growing — whether it’s ransomware shutting down fuel pipelines, malicious actors exploiting IoT vulnerabilities to disrupt infrastructure, or insiders leveraging weak physical access controls to compromise networks. Every entry point, digital or physical, represents a potential vulnerability if organizations fail to adopt a cohesive, integrated approach. 

By aligning cyber and physical security measures, fostering cross-functional collaboration, training employees to recognize evolving threats, and preparing crisis management protocols, businesses can strengthen resilience, reduce risk, and safeguard both people and data.

To safeguard your organization from cyber-physical threats, explore the SHRM Cyber Resource Kit. It offers valuable tools and insights to help you strengthen your cybersecurity strategies and safeguard both your digital and physical assets. Learn more and get your kit today.