Safeguarding critical energy infrastructure against converging cyber and physical threats

The digital revolution has had a transformative impact on energy transmission and distribution over the last decade. Previously ‘dumb’ systems that could only pass basic instructions to equipment have evolved into intelligent, interconnected networks.

This change is a mixed blessing. The same new capability helping technical teams to magnify their positive impact across these assets can also serve as a force multiplier for hostile actors seeking to disrupt or destroy critical infrastructure.

Protecting against that possibility has been a priority over the past decade. While much progress has been made in hardening organisations against cyber-attacks, these defences have then motivated attackers to find new ways of accessing systems.

One particularly concerning threat has emerged from the ‘shadow war’ between Russia and Ukraine that preceded the 2022 invasion. Instead of facing traditional physical sabotage or cyber-attack, Ukrainian utilities found themselves facing combined (‘dual domain’ or cyber-physical) incidents where their assets were exposed to cyber-attacks launched from inside their own buildings. This new approach had disastrous results and led to power outages and nationwide disruption.

Watching from the UK were the Government, cyber professionals, and our own national utilities. These organisations moved swiftly to ensure similar attacks could not be replicated on British soil.

The unique challenges of cyber-physical attacks

This concern was well founded. Dual domain attacks pose a particular challenge to organisations because this technique subverts one security’s core principles – trust. The digital efforts of a cyber threat actor can be identified and blocked because there are few reasons why a closed system should admit an external user and allow them to execute harmful instructions.

That calculus changes when the individual jumps over the digital perimeter by physically breaking into a site and connecting directly to a critical operational network. The same behaviour that would look strange and untrustworthy if coming from the outside may go undetected when attempted from within the victim’s own premises. That’s because these systems operate on the assumption that instructions given within the secure zone should be trusted and followed.

This means a hacker who has broken into their target’s offices and connected directly to the network has made their job much easier. Now their malicious instructions will look and feel a lot more like the trusted instructions of legitimate system operators, making detection far more challenging for cyber defenders.

This attack vector becomes even more tempting when considering that physical security teams are often focused on preventing theft across a huge number of sites (often tens of thousands for utilities and CNI operators). . These hackers are not their normal opponents, and until very recently, physical security teams may not have been aware that the digital systems held any value to outsiders beyond their resale value as stolen goods.

A new cyber-physical security framework emerges

In response to this new danger, the UK energy regulator worked with National Cyber Security Centre to create a security framework capable of hardening UK utilities against malicious state actors. This (the Cyber Assessment Framework, or CAF) presented organisations with a new challenge – understand the dual domain threat posed to their organisation and harden themselves against it.

Simple on paper, this ask proved exceptionally challenging in practice:

• There was no established methodology that allowed organisations to assess cyber and physical risks in full mutual context
• Cyber and physical security represent distinct areas of expertise with different cultures, meaning most organisations had minimal overlap between teams in formal governance or operations
• The only way to test dual domain risk acceptance was through field investigations of operational sites. For utilities operating tens of thousands of sites, sampling and assessment seemed like an insurmountable task.

Baringa is enlisted to help

The scale of the challenge meant utilities needed to supplement their existing capabilities with specialist skills. Baringa worked together with our clients to bridge that gap. The first crucial step involved building a team with expertise in both security domains. The hostile state actors threatening critical infrastructure are intelligence officers with decades of experience. For them, security has always been a holistic concept covering physical and digital domains. Our clients needed to ensure that their defences were equally well-rounded.

We instilled this mindset from the outset, creating a security-first culture that allowed physical and cyber security teams to ‘meet in the middle’ and collaborate with mutual respect and understanding. Around this foundation, we assembled a multidisciplinary team of cyber professionals, architects, physical security specialists (typically ex-special forces or individuals with counter-terrorism policing experience), and threat intelligence specialists.

Our clients understood that sustainable and effective dual domain risk identification could not be achieved by simply combining existing legacy frameworks. Instead, they sponsored the creation of a new cyber-physical methodology that gave their teams the detail and evidence needed to make impactful change. This new approach, called Adversarial Chain Analysis, involved launching simulated attacks against across client sites. with mixed-capability teams who were encouraged to use both their cyber and physical skills to inflict damage, revealing unexpected vulnerabilities and security gaps.

Whilst our client sponsors were security professionals, the biggest positive surprise was that our cyber-physical work became an effective catalyst for meaningful transformation across other operational areas. Changes to how sites were classified, categorised, and controlled were eagerly adopted by asset management teams, operational staff, and resilience subject matter experts.

The impact for our clients

Cyber-physical attackers in Ukraine exploited siloed security teams and operational blind spots to overcome their targets. Through our work defending UK CNI, our clients gained greater self-knowledge and built durable relationships between security and operational teams who previously operated in isolation – providing them with a vital edge on would-be cyber-physical attackers. Client-sponsored red team exercises also revealed the gaps and vulnerabilities that attackers might exploit, giving organisations time and space to safely resolve these issues.

Meanwhile, the regulator and security services were thrilled to see their recommendations in action. They invited Baringa’s client delivery team to present our newly minted dual domain security methodology to the National Cyber Security Centre (NCSC) as an example of best practice.

Key takeaways

Our shared experience in addressing the new challenge of cyber-physical attacks proved transformative for the project team, yielding several critical insights.   

Organisational resilience is dual domain. Our clients had organisational resilience teams that ran tabletop exercises for physical outages or cyber-attacks. However, none were running exercises that included both scenarios. Cyber planning consistently assumed there was successful physical security, whilst physical incident planning presumed robust cyber defences. By introducing dual domain attack scenarios, our clients were able to identify previously overlooked gaps and significantly improve resilience of critical functions.

Drop the prefixes and think ‘holistic security’. The traditional labels of cyber and physical security often hindered effective collaboration. Initially, linkages between our clients’ security teams were limited at best, with little formal overlap in governance and management. Our methodology provided a ‘town square’ where teams could communicate and collaborate effectively. By thinking like our adversaries, we helped our client foster better cooperation through shared understanding.

Failures of imagination are failures of control. In a threat landscape that’s constantly evolving, ignoring new developments or emergent threat intelligence increases the likelihood of becoming the cautionary tale that establishes a new normal. Our clients’ proactive engagement with threat intelligence may have helped them avoid confronting unfamiliar challenges with an outdated playbook.

What does this mean for your organisation?

Cyber-physical risk holds relevance for any organisation, but it is particularly important for those with operational assets and infrastructure distributed across multiple sites, including transport, manufacturing, and energy companies.

The threat landscape is evolving rapidly, with attackers increasingly integrating cyber-physical methods into their attack plans. Recently, organised criminal gangs attempted to physically smuggle ransomware on USB devices into Tesla’s gigafactories, hoping to halt production and extort the company.

Interestingly, cybersecurity frameworks are also evolving to address physical security concerns. Both the ISO 27001 and NIST Cybersecurity Framework (NIST CSF) now include dual domain controls to help organisations manage this emergent risk.

These new threats and enhanced frameworks make it more important than ever for organisations to consider a dual domain approach. The following questions offer a helpful starting point:

• Do you have critical systems with significant cyber protection that could be physically accessed with relative ease? Eg are they stored in sites with basic locks and alarms, or in field locations secured only by lockbox?
• Are your physical and cyber security teams organisationally siloed, with no routine overlap in governance and operations?
• Is there no recent or scheduled ‘full spectrum’ resilience tabletop exercise, encompassing all security domains and attack vectors?
• Are cyber and physical risks tracked and managed in distinct risk registers or risk management frameworks, with little or no connectivity between domains?

If you answered yes to any of these questions and would like to understand the implications, please contact Alex Don or a member of our team. Together, we can explore how dual domain security can strengthen your resilience posture.