The evolving landscape of cyber-physical security brings unique challenges to IT (information technology) and OT (operational technology) environments that transcend traditional IT risks. The heightened risks from the industrial Internet of Things (IIoT) and automation necessitate robust strategies for protecting interconnected systems. As industries increasingly rely on IIoT, the potential attack surface expands, making it imperative to address vulnerabilities that could disrupt physical operations.
Thus, bridging IT and OT security requires a holistic approach with technological and procedural strategies. This means there should be a unified security framework that might handle as well as monitor IT and OT assets. Risk assessment will therefore be a critical element concerning proper cyber-physical security measures. Through risk assessment, organizations can create security measures based on particular risks to ensure optimal security.
Cyber-physical security regulations and standards are also something that organizations navigate in this complex landscape. Most organizations work towards industry-specific standards, including the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), to which they can adhere and meet applicable legal requirements. Achieving such compliance, however, proves challenging due to the dynamic nature of cyber threats and the constantly changing regulatory environment. Organizations must be agile enough to keep on updating their security protocols according to new standards and mitigation of emerging risks.
Ultimately, the solution to effective cyber-physical security is a proactive approach that includes risk assessment, regulatory compliance, and strategic integration of IT and OT security measures. This would ensure that operations are protected from the multifaceted threats brought about by the convergence of digital and physical worlds.
Dealing with unique cyber-physical security risks beyond IT
Industrial Cyber reached out to industrial cybersecurity experts to define ‘cyber-physical’ security, and what makes its risks distinct from traditional IT or cyber risks.
“Cyber-physical security is a recently popularized term for what we have long known as industrial cybersecurity or operation technology (OT) security,” Sandeep Lota, global field CTO at Nozomi Networks, told Industrial Cyber. “It refers to the protection of cyber-physical systems (CPS), which integrate physical processes and digital components. When Gartner announced it was going to publish a new hype cycle for CPS security last year, suddenly this phrase started appearing everywhere. ‘Hype’ is particularly apt here.”
Lota added that cyber-physical security risks are distinct from traditional IT or cyber risks in that they involve physical consequences – the stakes are higher, especially when critical infrastructure is involved.
Vytautas Butrimas, industrial cybersecurity consultant, and member of the International Society of Automation (ISA) told Industrial Cyber that the policy to protect from the compromise or failure of digital technologies used to monitor and control a process governed by the laws of physics and chemistry. “The distinction in risk comes from the consequences of data/information loss in IT environments compared to the consequences from the loss of view and control of a physical process. In the former, there is low risk to people, property, or the environment, and will likely be addressed with a call to the IT department. In the latter, physical harm to people, property, and/or environment is likely and a call would be made to the fire and rescue services,” he added.
“Cyber-physical security involves protecting components that interact with and control physical elements of industrial processes, outlined in the lower Purdue levels,” Christina Hoefer, vice president of OT and IoT Strategy at Forescout Technologies, told Industrial Cyber. “For example, in the food and beverages industry, process valves control water or ingredient supply, heat controllers melt chocolate and coordinated robot arms help decorate the chocolate bonbons. While an unplanned stoppage of an assembly line can result in revenue loss, stopping an industrial furnace could cause equipment damage and safety risks.”
Hoefer observed that securing cyber-physical systems requires addressing vulnerabilities, access control, and cyber risks. “Unlike traditional IT, operational technology (OT) and industrial control systems (ICS) cannot simply be restarted without disrupting operations. Organizations must tailor their approaches to balance security with operational needs.”
Cyber-physical security ensures safety, reliability, and availability of industrial systems focusing on preventing operational disruptions, Zakhar Bernhardt, an OT/ICS cybersecurity consultant at German automation company anapur AG, told Industrial Cyber. “Unlike IT security, where confidentiality is key, OT environments prioritize safety and uptime. Cyber issues in OT can directly impact physical systems, putting lives and infrastructure at risk, which requires tailored approaches to address these unique challenges.”
Cyber-physical security in the age of rising IIoT, automation
The executives examine how recent technological advancements such as IIoT and automation reshaped the integration of the cyber risk landscape. They also look into the implications this has for organizational cyber-physical security strategies.
“Automation is hardly a recent advancement, and IIoT has been around long enough (ca. 2010) for CPS-focused cybersecurity vendors to understand the risks that connected devices introduce and defend against them,” according to Lota. “At this stage of maturity, industrial organizations and critical infrastructure owners can protect themselves by adopting readily available access control, continuous monitoring, threat detection, and other OT-focused cybersecurity solutions and rigorously adhering to cyber hygiene best practices such as strong password policies, least-privilege access, network segmentation and so on.”
Butrimas said “We now live in a world of increased connectivity of devices and systems. This has allowed for the creation and efficient operation of even larger systems over wide geographic areas. Unfortunately, the advancement has resulted in the introduction of new exploitable vulnerabilities, increased potential points of failure, vital dependencies prone to cascading failures, and a wider attack surface.”
He observed that the implications include a need to rethink system architectures that allow for connectivity where it makes good engineering sense while improving safety and reducing it where it does not.
“Advancements like industrial internet of things (IIoT) and automation have made devices more interconnected, providing data for analytics and automation, but also expanding the attack surface,” Hoefer said. “Insecure-by-design devices introduce new entry points for attackers, allowing for lateral movement, data theft, and process disruptions.”
She added that organizational cyber-physical security strategies now need to consider how to secure a much broader scope of devices, including OT, Internet of Things (IoT), IIOT, and building automation system (BAS) devices and networks, while dealing with the additional cyber-physical requirements and constraints.
“Advancements like IIoT and automation have expanded the attack surface in OT environments,” Bernhardt said. “Remote access and data transfers improve efficiency but also introduce vulnerabilities and risks like cyberattacks and system instability. Adding more services to OT networks reduces reliability and increases complexity. Organizations must focus on combining reliability and security through real-time monitoring and thorough testing of new technologies.”
Bridging IT-OT security: Strategies for cyber-physical security
The executives provide the industry with practical strategies or frameworks that organizations use to bridge the gap between IT and OT security teams, ensuring alignment and effectiveness in cyber-physical security efforts. They also deliver from their perspective the one thing they wish IT professionals understood about cyber-physical systems and their unique risks.
Lota noted that the IT/OT cultural divide comes to a head in the SOC, and that’s the best place to address it. “Too often, instead of a merged SOC, you have a traditional IT SOC providing a service to the OT business unit, which it doesn’t understand. I’ve written about this and provided some effective strategies here.”
“The one thing I wish IT professionals understood about CPS is really our industry mantra: that OT controls physical processes and that when something goes wrong the stakes are much higher,” Lota added. “In industrial environments, you’re always planning for your “worst day.” What catastrophic thing could happen that could impact thousands of people? Your average SOC analyst isn’t trained to think that way.”
Butrimas observed the tendency to “use what is well established (or derived from) for protecting data/information-centric environments which are not fully suited to the automation and control system (ACS) environments. IT patching policies, for example, are toxic to ACS environments.”
The one thing Butrimas wishes for IT professionals to understand is a basic knowledge of the concepts used in the field of engineering. “If they knew that they would think twice before imposing an IT security policy on a process or at least consult with an automation or protection engineer before trying it.”
Hoefer mentioned that many organizations are creating OT-specific security teams or assigning OT security advisor roles to automation professionals. “Even if these teams are small, they ensure that cyber-physical requirements are considered when building security strategies. Common frameworks that organizations follow are the NIST Cybersecurity Framework and IEC 62443.”
She identified that IT professionals need to understand that while many industrial systems may appear automated, they often rely on outdated equipment. Low-performance systems require careful planning and cannot be managed like IT devices. Deploying security controls takes time to avoid disrupting critical operations.
“Practical frameworks in OT cybersecurity are limited, often relying on specialized training and courses,” according to Bernhardt. “Bridging the IT-OT gap relies on fostering mutual understanding. IT professionals need to recognize that OT prioritizes safety and uptime over confidentiality and agility. Strategies like joint training sessions and cross-disciplinary teams can improve alignment. Building this understanding helps IT and OT teams work together to protect critical systems effectively.”
Measuring cyber-physical security effectiveness
The executives focus on the methods and metrics that organizations employ to monitor and assess their cyber-physical security stance across IT and OT environments. They also consider whether they generally possess the necessary resources and expertise to accomplish this.
Lota identified that the easiest, most consistent way to track and evaluate CPS risk is in your cybersecurity platform. “However, they’re not all capable of calculating OT risk, which is much more involved than vulnerability scoring. You’re not just looking at asset risk; you must also identify your most critical processes and how to protect them. It’s important that these calculations reflect how your organization assigns risk.”
Butrimas recommends becoming familiar with the International Society of Automation standard for Industrial Control and Automation System Security (ISA/IEC 62443) and ISA 95 standard for Enterprise Control System Integration. “Also the questions listed among the 12 principles found in the US-DoE/INL Cyber Informed Engineering.”
He also mentioned that in his experience, “some asset owners and operators do not have the resources and expertise to support this kind of deep evaluation. This IMO comes more from a lack of awareness of these methods and the need to employ them.”
Hoefer said that tracking cyber-physical security begins with a detailed asset inventory, documenting connected systems, operating systems, firmware, and the criticality of each asset. “Automating inventory generation and maintenance processes with tools like industrial network monitoring technologies helps maintain accuracy and efficiency. This data enables non-intrusive security posture evaluations, identifying vulnerabilities, outdated OS versions, default credentials, and unnecessary services.”
She detailed that many tools also automate risk assessment and offer diagnostic capabilities, addressing inefficiencies beyond security. “While most organizations already have asset tracking systems, others can start with periodic risk assessments, using network captures and system exports to build an inventory and gain risk insights.”
Bernhardt said organizations must first understand their environment and deploy monitoring tools to uncover blind spots. “Metrics like system uptime, incident response time, and audit findings are critical for tracking security posture. Regular internal audits ensure visibility and validate defenses. However, many organizations lack the dedicated teams and expertise to manage OT cybersecurity effectively. Developing in-house capabilities is essential for managing tools and staying ahead of risks.”
Does risk assessment emerge as key to effective cyber-physical security?
The executives analyze how a thorough risk assessment informs the development of a comprehensive cyber-physical security plan. They also look into the best practices organizations should follow in this process.
“Any risk assessment starts by conducting a business impact analysis to identify your critical business functions, or crown jewels, and prioritize their protection,” Lota said. “As I mentioned, in industrial environments it’s more complex because you’re not just looking at assets and vulnerabilities. To really understand risk, you must identify not only your most critical processes but the technology dependencies associated with them.”
He added that a useful metric for determining criticality is RTO, or recovering time objective: if the recovery time to restore the function is long and the tolerance for an outage is low, the function is critical and needs to be protected.
“Provides answers to the questions of what needs protection, from what threats, and how to protect identified assets from identified threats,” Butrimas said. “These answers will help persuade finance and management.”
Hoefer said that risk assessments should focus on asset posture, communication dependencies, and progress in strengthening security and controls. “Key factors like open ports, vulnerabilities, and device behavior impacting security or other downtime shape risk scores. A security plan should prioritize remediating weak security postures, detecting any unanticipated cyber threats, and creating a thorough response plan for rapid recovery. Many organizations miss these last steps and focus all their energy on the protection phase.”
According to Bernhardt, risk assessments in OT environments should focus on identifying major vulnerabilities without delving too deeply into details. “A general assessment is sufficient to highlight critical issues and guide improvement efforts. Best practices include tailoring assessments to operational realities, prioritizing high-impact risks, and iteratively refining security measures during implementation. This approach ensures that resources are effectively directed toward enhancing system resilience.”
Tackling cyber-physical security compliance challenges
The executives explore the impact of regulatory requirements and industry standards on designing and implementing cyber-physical security measures in IT/OT environments. They also discuss any existing gaps or challenges in achieving compliance.
Lota said that regulatory compliance is the top driver for CPS security program design and implementation. “Programs evolve based on where government and industry regulations dictate. As cyberattacks on critical infrastructure increase in number and sophistication, often with the help of AI, worldwide regulatory bodies have responded by updating standards and developing stricter regulations aimed at bolstering resilience. These actions are understandable, but increased regulation often widens existing gaps between organizations with sufficient resources to keep up with evolving mandates and those who cannot,” he added.
“As for industry standards, the first major update in a decade to the IEC 62443-2-1:2024 standard has been incredibly helpful for organizations large and small,” according to Lota. “Overall, updates to many parts of IEC 62443, along with new certification schemes and wider national adoption in recent years, are providing a stronger, more consistent foundation for securing CPS worldwide.”
Butrimas sees this as having a significant influence. “For example, the current attention given to the EU’s CRA. Sadly, there are gaps. Mainly by being more specific about what needs protection and what threats are. The CRA in my opinion would be a better document if instead of indicating a vague definition of what needs protection as ‘devices with digital elements,’ it would call out the PLC or if that is too specific then use the term ‘automation and control system.’ This would enhance efforts to ensure that the critical infrastructure we depend on will be safe, available, and resilient.”
He added that threats need clarification too. “Threats are not abstractions or just limited to cybercrime and socially motivated hacktivism. Knowing who may be attacking will inform what is needed for defense.”
“Many regulatory requirements and industry standards influence the design and implementation of security measures by focusing on asset management, risk management, and detection of security threats,” Hoefer said. “However, gaps arise when standards remain too vague in their requirements and recommended steps, or when organizations are focused on chasing the compliance stamp rather than considering what’s best for their security.”
She highlighted another risk, which occurs when a standard concentrates solely on one aspect of the organization, neglecting the interconnectedness and reliance of cyber-physical operations on other IT systems.
Bernhardt stated that regulations and standards establish essential baselines, but practical challenges remain. “These include adapting guidelines to specific operational contexts and addressing gaps in actionable implementation advice. Compliance alone is not enough – organizations must align these standards with their unique environments and industries to achieve robust security. Regulations should be seen as a starting point, complemented by tailored, practical measures,” he concluded.
All rights reserved | Terms and Conditions
Privacy Policy | Cookie Policy
About The Author
More Stories
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation
Final Results of the 2026 Internet Society Board of Trustees Elections and IETF Selections
Community Snapshot—March