The convergence of physical and cyber-threats to infrastructure has become an urgent and complex challenge, write Michael Kolatchev and Lina Kolesnikova, Rossnova Solutions.
What used to be separate domains – physical sabotage or cyber intrusion – have merged into hybrid threats capable of disrupting national economies, public safety and military readiness.
Convergence refers to combined, coordinated or sequential attacks that exploit physical and digital vulnerabilities in a critical system, often creating cascading effects.
So, the “convergence” is both conceptual (we must treat security holistically) and operational (threat actors already exploit cross-domain vectors).
By convergence of threats, one means that distinct threat domains such as cyber, physical, supply chain, insider, environmental, geopolitical and more are increasingly overlapping, interacting or compounding each other, rather than existing in separate silos.
These threats are deliberate (state or non-state actors) or opportunistic (ransomware groups, hacktivists) and are increasingly difficult to attribute or detect early.
Domains
At a high level, we could take three technological categories that we will use to further analyse threats, impacts, possible response measures, and assets characteristics: Information technology (IT); operational technology (OT); physical (assets) technology (PT).
This classification is not necessarily strict and may overlap depending on one’s perspective.
CI typically includes elements of at least two or all three of these categories – but these categories all have similarities and differences:
- The IT is primarily concerned with data security and privacy, application and data availability and their integrity
- The OT focuses on security and integrity and, most importantly, operational availability – that is, the production process must remain operational
- While the PT will also be concerned with security and integrity (of physical assets, goods, etc.), availability is a different matter: It concerns the physical accessibility of, for example, stored goods or a building
We all know that security is not the absence of risk – threats and risks always exist. It is about protecting important things as best as possible but based on priorities determined within ever-limited time and resources.
Therefore, security is rarely established once and for all. Rather, it is an iterative process in which improvements are gradually implemented as associated risks are identified or prioritised.
In IT parlance, we talk about patching. IT patching is a well-developed, accessible and widely used method. Patching IT systems frequently is a relatively inexpensive and quick process.
Patching OT, and especially PT, is often difficult or even impossible. Even when computerised systems are used there, patching a hard-wired micro-controller with burned logic in it is often next to practically impossible.
Indeed, re-burning the logic in the PLC might be more difficult to arrange than just replace and restart an application on a computer.
Instead, a much more expensive and time-consuming replacement method will be used. In most cases, physical intervention will be required to replace the asset.
Repair and replacement methods often result in assets being out of service. Replacement, as a more time-consuming method, leaves the asset inoperable for longer.
Moreover, repair times for operational and production processes (OT and PT) are longer than for most IT assets; operational and production process (OP and PT) assets remain unfixed longer.
Another interesting difference lies in the nature of the consequences that failures can have. For IT systems, which can typically be replaced or restored more quickly, the impact is primarily on business and decision-making processes, which may be blocked, unavailable or malfunction.
For OP and PT systems, the impact is more profound and tangible. Operational processes may be halted, equipment may be damaged, personnel safety could be compromised or there may be serious environmental impacts.
Finally, forensics in these areas also differs. PT leaves more tangible traces, while IT leaves mostly intangible ones.
Convergence of domains
The modern world is characterised by the convergence of systems from various fields. Interconnection and integration play a crucial role in realising the numerous and significant benefits of this convergence.
Meanwhile, convergence of domains, while bringing benefits, opens new threat scenarios. Previously, physical assets were exposed only to physical threats.
Operational processes were exposed only to external threats – primarily operating system failures and physical attacks.
This no longer happens. Bridges exist between systems in different domains, for example, PT to IT (cyber), or IT (cyber) to OT.
The ability of a system in one domain to manipulate a system in another domain opens opportunities for attackers.
We live in an era of threat convergence across IT, OT and PT. The Stuxnet attack (2010) opened a Pandora’s box. Remotely-initiated attacks with operational and physical impact have become commonplace.
Something more dramatic can be expected after this – and this new development will be more difficult to predict, prevent and investigate.
Crime-as-a-service
In the world of legitimate business, malicious actors are developing more comprehensive and accessible services. As the economy changes, more platforms are offering various “spare” resources for external use.
Different tools, functions and actions-as-services, both cyber and physical, are evolving in all directions: From cyber-tools, big data collection, to even killings.
An example of the latter is killing-as-a-service offered by criminal groups domestically and internationally.
In the world of legitimate business (imagine a modern, API-based computerised world) – even more rapidly due to less rigid control – integration and orchestration capabilities are developing.
They enable simpler and more complex scenarios based on the coordination of actions across all domains. This is threat of convergence in action.
A shift
Undoubtedly, AI can now be exploited by attackers; just as legitimate AI agents make it easier for users to find information or choose a product, AI used by attackers can help find a more suitable target, select a more effective attack scenario or organise and launch necessary services from a global catalogue.
All this is fast, simple and inexpensive.
As we see threats coalesce and AI enrich them, we see the attackers’ target operating model shifting. The attack requestor does not need to do anything themselves.
Instead, the requestor will ask the AI something like, “select a target service whose disruption during the 24 hours of DDMM will lead to the most significant public outrage on DDMM+1, which is the election date”.
The requestor then tasks the AI with finding, organising, paying for and executing specific actions.
After that, the requestor might disappear and everything happens automatically, delivering the result according to the requested criteria.
Thus, the operating model becomes ‘requestor – service – target’, where the requestor does not necessarily initiate the attack, but chooses the method and tools and perhaps doesn’t even select the attack target.
Consequences
These developments make more attack scenarios available. They remain relatively simple for attackers because of the widespread use of “outsourced” services, however, for the defender, defence becomes more complex and expensive.
This requires the integration of signals from all domains, as well as more complex (not just more, not just more complex) test cases. Multi-vector denial-of-service attacks can be imagined.
A reasonably traceable path between the impact source and the requesting party is not only unclear, but in some cases, may be absent.
AI selects targets and methods, enters contracts and activates the corresponding services, freely combining them across domains to achieve the desired result (the impact itself or even just its consequences, depending on how the request is structured).
This resembles a new trend known in the world of legitimate business as agentic commerce.
The growing number of attacks scenarios and the increasing number of combined attacks across multiple domains requires additional resources from the defender – although, from the attacker’s perspective, additional resources are not actually needed; they simply select the appropriate services and tools and combine them.
Such offerings address threat vectors, cyber and physical, and are often offered on a pay-per-use basis, therefore requiring little investment from the requester.
For the defender, things are different: More resources are required, the scope and attack surface are much broader, protection becomes even more expensive.
And, with the new operating model described earlier, the requester is no longer an attacker in the classic sense.
What can be done about it?
- Integration of monitoring, protection and response across all domains
- More, and smarter, information gathering from sensors, surveillance, cyber-physical threat intelligence. Use AI/ML to detect anomalous behaviour that crosses cyber and physical thresholds
- Zero trust and network segmentation to both IT and OT environments
- Harden physical and OT assets
- Regular drills simulating combined sabotage and cyber-intrusion with inclusion of SCADA, IoT and legacy systems in simulations
- Public-private partnership
- Introducing a “prevention (of misuse) by design” approach to new developments in all domains. This could start with simple questions one could pose: Are all actors in the attack (scenario) malicious? Can legitimate actors consciously or unconsciously manipulate when being manipulated? Are there possible changes (often, negative, unfair or obscure) that can trigger the risk realisation scenario or contribute to negative developments in case of an attack?
