Most attacks involve human intervention, intentional or not, and have consequences in the physical world; yet cybersecurity and physical security are still handled in silos, creating vulnerabilities. This White Paper explores the blurring frontier between these two worlds and describes how a holistic approach can help protect organisations and make them more resilient.
If the current conflict in Ukraine highlights cyber-attacks carried out in the context of war, it should be emphasized that they are also taking place in other regions experiencing tensions and latent conflicts, such as in the Middle East between Iran and Saudi Arabia. Everyone remembers the Stuxnet attack in 2010, but who knows that it had been active since 2009, and had already infected a dozen companies before attacking Iranian centrifuges? Stuxnet was different from any other virus or worm that had come before.
Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to physically destroy equipment those computers controlled. Then, in response to Stuxnet, there was the attack on Saudi Aramco by Shamoon in 2012, which compromised 30,000 computers. Finally, from 2016 to 2018, there were numerous attacks on Saudi Critical Infrastructure networks and on government agencies. And similar examples can be found in all parts of the world.
Cyber-attacks are a strategic weapon of choice in conventional conflict and have been for a long time.
They are a primary way in which States, organisations and individuals can harm other States, organisations, and individuals, whether in a public or private setting. And while computers may be the targets of infection, human action has shown to be a constant factor in these attacks.
It should therefore be emphasized that protecting the access to information and systems is and will remain threedimensional, consisting of physical protection, the human factor, and digital protection. It has become clear that there is no point in trying to protect, let alone respond, to an attack with a siloed approach. Likewise, protecting organisations against threats in the digital world, particularly cyber-attacks, can only be done with a holistic approach.
The consequences of cyber-attacks are also three-dimensional: IT infrastructures neutralized or destroyed; industrial production or services blocked or annihilated, with potentially serious industrial accidents; and finally, in human terms, injuries or deaths and job losses.
Whether through accident, negligence, or malicious intent, the human role is eminently present in the development and dissemination of cyber-attacks. As such, the human factor is a constant that must
be fully integrated in a protection strategy capable of protecting against both an “involuntary vector” as well as a “malicious vector” (external or insider threat). It is because the human dimension cannot be
dissociated from the defense strategy of organisations, that the notion of cyberphysical security has become essential.
Promoting the concept of cyber-physical security, the subject of this White Paper, represents a reasonable and critical response to today’s threat. It was written by experts from across the globe under the aegis of the International Security Ligue and CoESS, joining forces to protect people, organisations and infrastructure against combined attacks that unfortunately will continue to be made.